Queries regarding forwarders
Lee
ler762 at gmail.com
Thu Oct 25 21:25:41 UTC 2018
On 10/24/18, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 08/09/2018 01:01 AM, Lee wrote:
>> it does, so you have to flag your local zones as rpz-passthru.
>
> Thank you again Lee. You gave me exactly what I needed and wanted to know.
you're welcome :)
> I finally got around to configuring my RPZ to filter IPv4
> Special-Purpose Address Registry as per IANA's definition.
> (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1)
>
> I am also happily using rpz-passthru for my local domain(s) that resolve
> to filtered IPs.
>
> Now I'm pontificating augmenting my RPZ to also filter replies that
> resolve to IPv4 BOGONs. (Received via BGP feed with Team Cymru.)
I feel like I'm missing something :(
I read this
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
and used RPZ to block anything coming from outside that might be an
internal address. I'm missing what filtering out things like
benchmarking & documentation network addrs gets you beyond maybe
saving some bandwidth?
Same deal with using RPZ to block IPv4 BOGONs. What does RPZ blocking
get you that you don't get by blocking them on your edge routers?
Thanks,
Lee
More information about the bind-users
mailing list