Blocking private addresses with a optionq
Vernon Schryver
vjs at rhyolite.com
Thu Mar 14 19:26:26 UTC 2013
> From: "Lawrence K. Chen, P.Eng." <lkchen at ksu.edu>
> ... So, being able to filter out these 'bad' things when responding
> queries against that data might be a good thing.
RPZ might be used for such things. However, by design RPZ rewrites
entire responses. It is triggered by individual records in a response,
but changes the entire response and not just individual records within
the response.
To use RPZ for such filtering, you would probably use views with
a response-policy{} statement in the external view to be filtered.
The RPZ rules could be triggered by rpz-ip records for 10.0.0.0/8 or
similar. The rules might rewrite responses to a CNAME or to sets of
A and AAAA records suitable for outsiders. That sounds a lot more
fragile and error prone than distinct zones for insiders and outsiders
specified in the view statements. However, RPZ might be good as a
failsafe against leaks (perhaps rewriting to NXDOMAIN).
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list