[DNSfirewalls] Using DnsTap to populate a reverse DNS RPZ

Fred Morris m3047 at m3047.net
Fri Mar 19 19:57:42 UTC 2021

This is a tactical defender-centric tool, intended to augment everyday 
tools' usability, e.g. "iptables -L -v". It's an RPZ, but it's not a ban 

On Fri, 19 Mar 2021, Andrew Fried wrote:
> [...]
> You will often see generic 4-3-2-1.some.domain ptr records despite an
> actual host/domain points at the ip, particularly in cloud environments.

Exactly the point!

> Furthermore, a rewrite triggered by some query won't necessarily match
> the ptr record, especially if the query was for a hostname but the
> rewrite triggered, for example, on a bad nameserver.

As much sense as I can make out of that, not sure it applies since these 
tools are blessedly stupid or at least unimaginative and are going to do 
"normal, unsurprising" PTR lookups. Therefore it would be surprising for 
one of those queries to stumble upon a nameserver.

The objective is also not to import "all the things", although I really 
hadn't thought about expiry. This is implicitly about "did someone here 
resolve something to this address?"


Fred Morris

More information about the DNSfirewalls mailing list