RPZ and DNS traffic on the server
Alex K
rightkicktech at gmail.com
Tue Feb 12 14:18:06 UTC 2019
Hi Daniel,
Thank you very much!
It was exactly what I was looking for.
On Tue, Feb 12, 2019 at 4:03 PM Daniel Stirnimann <
daniel.stirnimann at switch.ch> wrote:
>
> Hello Alex,
>
> > Is this expected behaviour? Is there any way to make the server avoid
> > proceeding with the resolution, when the initial client requests is
> > blocked?
>
> Yes, this is expected behavior. You need "qname-wait-recurse no" to
> change the behavior:
>
> response-policy {
> zone "rpz-whitelist-lan";
> zone "rpz-blackhole";
> } qname-wait-recurse no;
>
> Be aware of the following limitation:
>
> > The option does not affect QNAME or client-IP triggers in policy
> > zones listed after other zones containing IP, NSIP and NSDNAME
> > triggers, because those may depend on the A, AAAA, and NS records
> > that would be found during recursive resolution.
> Source:
>
> https://ftp.isc.org/isc/bind9/9.10.3/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar
>
> Daniel
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190212/d191eafa/attachment.html>
More information about the bind-users
mailing list