Question about BIND and RPZ
Vadim Pavlov
pvm_job at mail.ru
Sat Aug 4 16:27:29 UTC 2018
Hi Felipe,
You do need to do that. You may configure redirect action on a zone level. Just add "policy cname domain"
[ response-policy {
zone zone_name
[ policy ( given | disabled | passthru | drop |
tcp-only | nxdomain | nodata | cname domain ) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ] ;
...
}
E.g.
response-policy {zone "badlist" cname www.wgarden.com;};
BR,
Vadim
> On 04 Aug 2018, at 06:52, Felipe Arturo Polanco <felipeapolanco at gmail.com> wrote:
>
> Hi,
>
> I have a question regarding BIND and its RPZ functionality.
>
> We are using a DNS provider that blocks malware by returning an NXDOMAIN response back whenever a match is found.
>
> The way they differentiate between real non-existent websites vs malware sites is by turning off the 'recursion available' bit in the NXDOMAIN response, non-existent sites do have this bit turned on.
>
> Is there a way to match this flag in an RPZ policy to redirect malware sites response to a wall garden website while not matching real non-existent websites?
>
> Thanks,
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180804/ea6d85fd/attachment.html>
More information about the bind-users
mailing list