Authority and forwarding, but not recursion/iteration

Fred Morris m3047 at m3047.net
Wed Mar 17 01:41:45 UTC 2021 

Hammers and nails...

On Tue, 16 Mar 2021, Marki wrote:
> On 3/13/2021 12:11 AM, Tony Finch wrote:
>>  Marki <bind-users at lists.roth.lu> wrote:
>>>  But if you need granular filtering, that could become a lot of views...
>>  Yes, I think RPZ is really designed to be a ban hammer [...]
>
> Standard DNS server software (not only Bind)

Is RPZ "standard" now? I know that the US Govt is now calling it "PDNS"...

> does not provide for easy 
> whitelist filtering, only blacklists seem to be "en vogue".

Not true at all. There are large cesspools of compute which I block by 
default and selectively whitelist into with RPZ.

This requires (and it should be SOP) two local RPZs, a whitelist followed 
by a blacklist. If it's in the whitelist it's shiny otherwise it gets 
filtered by the RPZ dedicated to replicating the coldest regions of 
interstellar space.

The cesspools in particular are handled via CNAME chains. That seems to be 
SOP, too. So images.example.com is a CNAME to random.cesspool-example.com. 
In the second list there is a catchall for *.cesspool-example.com which 
rewrites it all NXDOMAIN. Because I like example.com, I put a rule in the 
first list to leave *.example.com alone. (This does a really good job with 
third party cookies before they even get to the browser.)

In fact, this should be SOP: whenever you use cesspool compute or servers, 
CNAME it from your actual domain m'kay?

Granted there are some people who cleverly use random.cesspool-example.com 
in their dynamically generated pages. So clever. Ooops, not so much. In 
fact, this blocks stuff I never even thought of blocking but am glad I 
did!

There can also be issues with TTLs, where you had something in a compute 
cesspool blocked and then you created an exception for it, and it won't 
resolve until the TTL expires. I solve that locally by disabling local 
cache: all stub resolver queries (getaddrinfo() I'm looking at you!) get 
sent to the local recursive/caching resolver by disabling nscd or 
rewriting TTLs if necessary.

For extra credit you can hunt nameservers, although that's perhaps better 
handled in the mail filtering pipeline, which is where it really seems to 
matter.

--

Fred Morris

More information about the bind-users mailing list