Selective filtering of multi-address answers
Andris Kalnozols
andris at hpl.hp.com
Sun Jun 10 03:23:03 UTC 2012
I have the following issue:
* A domain name which our organization does not control is used
for authentication. It returns 40 A records which point to
various MS Active Directory servers throughout the company.
* A few of these A records point to non-functioning hosts and
cause delays for clients which have the bad luck to encounter
a bad server as the first A record in their DNS response.
The BIND 9.9.1 ARM describes two methods of content filtering:
deny-answer-addresses
---------------------
This is an all-or-nothing feature that returns a SERVFAIL response
if *any* address in its match list is returned in the answer
section. No selective filtering seems possible.
response-policy
---------------
I configured a simple RPZ as follows:
options {
...
response-policy (zone "hpl-rpz"; };
};
zone "hpl-rpz" {
type master;
file "db.hpl-rpz";
allow-query { localhost; };
};
The RPS zone has the following policy records:
32.121.184.205.16.rpz-ip CNAME *. ; NODATA
32.24.52.228.16.rpz-ip CNAME *.
8.0.0.0.16.rpz-ip CNAME 8.0.0.0.16. ; PASSTHRU
Again, this functions as an all-or-nothing filter with or without
the passthru record. A NODATA response is returned for the domain
name instead of an answer with 38 good A records.
I don't want to go down the road of hardcoding my resolvers to be
authoritative for this domain name. Is RPZ or some other BIND
feature capable of telling little white lies of omission or just
big whoppers when it comes to domain names with multiple addresses?
------
Andris
More information about the bind-users
mailing list