RPZ question autoritative/recursive servers
Bob Harold
rharolde at umich.edu
Tue Jan 22 15:02:30 UTC 2019
On Tue, Jan 22, 2019 at 9:41 AM Mik J via bind-users <
bind-users at lists.isc.org> wrote:
> Hello,
>
> I tried to dissociate roles and have:
> - 1 set of authoritative master/slave server
> - 1 set of recursive servers
>
> For a zone that I owned, the "recursive" servers forwards the request to
> the authoritative server. Otherwise the server resolves the query directly
> on the Internet.
> The authoritative servers hold my zones and recursion is disabled.
>
> I was reading about RPZ zones but it seems to me these are implemented on
> authoritative servers ?
> I'm interested in RPZ zone in order to intercept some queries aiming to
> the internet youp*rn or wannacry.
>
> As I explained, my authoritative servers are not on the path to Internet,
> only my forward servers are, should I implement the RPZ functionality on
> these forward only servers ?
>
> Any thoughts on this ?
>
> Thank you
>
The RPZ function only runs on the Recursive DNS servers.
The RPZ zone could be mastered on an Authoritative server, but it should
not be visible to the public. Better to keep it only on internal servers,
like only on the resolvers.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190122/e813ceff/attachment.html>
More information about the bind-users
mailing list