replace "SERVFAIL" to "NXDOMAIN" with rpz
Fred Morris
m3047 at m3047.net
Sat Jun 17 04:40:11 UTC 2023
Admittedly, since I'm writing software to do "off label" stuff with DNS I
make mistakes. But I have seen things along this line (interactions
between RPZ and regular resolution in the context of "broken" domains): in
some cases it has seemed impossible to ameliorate / mitigate SERVFAIL
utilizing RPZ.
I'll try to pay more attention and see if I can isolate a test case if the
problem recurs. (I was kind of hoping someone would have a solution!)
--
Fred Morris
On Fri, 16 Jun 2023, Crist Clark wrote:
>
> That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ
> action. Something is wrong with your configuration.
>
> On Fri, Jun 16, 2023 at 1:39 PM <sami.rahal at sofrecom.com> wrote:
>>
>> For monitoring reasons I try to change the return code of a domain name
>> from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of
>> BIND9.16.42 as follows:
>>
>> example.com IN CNAME.
>>
>> *.example.com IN CNAME .
>>
>> But it still doesn't work, I still have the message " SERVFAIL", is it
>> feasible or not please ?
>>
More information about the bind-users
mailing list