SERVFAIL takes precedence before RPZ policy action
Daniel Stirnimann
daniel.stirnimann at switch.ch
Fri Sep 2 18:03:30 UTC 2016
>> We maintain a block list with RPZ on our BIND resolvers. I noticed that
>> the RPZ policy action does not apply for domain names which SERVFAIL
>> (i.e. cannot be resolved by the resolver because of a timeout, lame
>> delegation etc.).
>
> RPZ applies to responses not queries.
>
> You can override this with "qname-wait-recurse" IIRC.
Thank you, that works for BIND >= 9.10.
Though, I question the usefulness of this option because of the
following restriction:
"The option does not affect QNAME or client-IP triggers in policy zones
listed after other zones containing IP, NSIP and NSDNAME triggers,
because those may depend on the A, AAAA, and NS records that would be
found during recursive resolution." source ARM
In my case, the first zone is a white list zone which also contains an
IP trigger, thus qname-wait-recurse has no effect on the following
malicious zones.
Daniel
More information about the bind-users
mailing list