Selective resolution in a corporate environment

Tue Feb 5 18:23:37 UTC 2013

I did not know about RPZ Here is a good configuration example:

http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/

IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving companies the ability to selective lie about DNS without the end user knowing it. Unfortunately (and I have the heights and greatest respect for Paul) but after reading this http://www.isc.org/community/blog/201007/taking-back-dns-0 I can only think of one thing. China.

You just handed DNS on a silver platter to oppressive governments and corporations.

RBL's were great because they block unsolicited email. They user did not request it, but it was sent to their email when it was exposed.

with RPZ, a user makes a request, and being re-directed. Paul, no matter what you do, you will never be-able to technologically over come dumb or malicious users, especially since 99% of all corporate espionage/hacks are done internally, by a user with full access so.... 

We are a small company (so again I apologies for my naivete) but the real solutions is well informed users, a good corporate policy, which makes sure user are aware of and held accountable for their clicks. 

I mean Imagine if your GPS device took you to a different restaurant cause to thought the food was better.

Sorry for getting off topic and ranting, but these are the kinds of techs that make the hair on my neck stand up.

Date: Tue, 5 Feb 2013 15:52:51 +0000
Subject: Re: Selective resolution in a corporate environment
From: wongsky.monkey at gmail.com
To: bind-users at lists.isc.org

> From: Phil Mayers p.mayers at imperial.ac.uk> To: bind-users at lists.isc.org,
> Date: 05/02/2013 15:44> Subject: Re: Selective resolution in a corporate environment> 

> On 05/02/13 15:36, funky monkey wrote:

> 

> > Could you sandwich that in a forwarding chain - say have a bind

> > 9.<compliant version> in between your normal forwarders to internet, and

> > does it just look fo rthe entries you've specified as either alternate

> > data or does not exist, but otherwise, carries on to forward to an

> > authoritative (or cached, I suppose) version of the domain in question?

> 

> Not entirely sure what you're asking, but I don't see any reason you 

> couldn't use "forwarders { ... };" to point to an RPZ-enabled server, 

> which would be handy to retrofit into bind < 9.8 installations. Sorry, should have probably explained my scenario better... my internal nameservers have a sort of top level (placeholder domain) that are Windows DNS servers, that forward out internet DNS servers for public DNS and anything not resolved internally (by means of either conditional forwarding, or stub zones). All other DNS environments in the organisation (be the BIND or Windows DNS, forward to these 2 "top level" (internal) DNS servers, and only they talk DNS through the firewall to internet DNS.
 So what I meant was for these 2 DNS servers that go on to forward to the internet, rather than directly forwarding to the internet, forwarding to one (or more) RPZ enabled BIND 9.x servers, which in turn forward on to the internet for anything not specified locally. So say I wanted to resolve fred.domain.com. from something internal, and only www.domain.dom. was specified (kind of as subversion) on these RPZ servers, that not finding a match, they would carry on to attempt to resolve fred.domain.com. from the authoriative domain.com. nameservers (or the first intermediate DNS server that happens to be caching).
 Hope I've asked that in a bit of a clearer manner! Cheers

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130205/9268aa3d/attachment.html>