Logging ECS information for RPZ rewrites

[Tony Finch]

Brian Keifer <brian at valinor.net> wrote:
>
> The architecture I've been working with so far is a pair of front-end proxy
> servers running keepalived to share a virtual IP and PowerDNS's dnsdist as
> the actual proxy.  The proxies set ECS to the client's IP address and pass
> the request to one of four back-end caching BIND 9.12 servers.

I've sort of been waiting to see if Ray will reply to this question, since
the general opinion seems to be that using ECS in this situation isn't a
great idea, so it should be replaced by a different option:
https://tools.ietf.org/html/draft-bellis-dnsop-xpf

But that doesn't help with your immediate problem.

> That all works beautifully, but when a client has one of their requests
> rewritten based on a threat feed, we want to know about it so that we can
> investigate/remediate that client.

There are a couple of non-BIND ways that you might accomplish this:

(1) Do the logging on the RPZ redirection target server.

(2) Get dnsdist to log responses that have been rewritten by RPZ.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
public services available on equal terms to all