[DNSfirewalls] A non RPZ DNS firewall question
Paul Vixie
paul at redbarn.org
Sat Jul 30 00:35:40 UTC 2022
Francis Turner via DNSfirewalls wrote on 2022-07-29 16:52:
> At least I don’t think it’s an RPZ question because I don’t believe it
> is part of the spec.
right.
>
> Is it possible in Bind or other DNS servers to filter based on RRTYPE
> e.g. always replying NXDOMAIN to TXT queries or for that matter to other
> arbitrary TYPEXX queries?
not easily though it's common in load balancers (which are buggy).
nxdomain is about the name and can't depend on the type. yet:
https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0004.md
> We have some customers who are seeing their
> public recursive DNS servers being abused by queries of this sort. It’s
> possibly DDOS, it’s possible DNS Tunnelling, it may be some other abuse
> but either way they want it to stop – at least from certain users of
> their servers. Unfortunately neither they, nor I, can think of a good
> way to do this
i suggest posting a dnscap trace to dns-operations@ to get more eyes on it.
--
P Vixie
More information about the DNSfirewalls
mailing list