RPZ for reverse lookups ?
m3047
m3047 at m3047.net
Sun Aug 25 16:54:52 UTC 2019
Clarification on what DNS is...
On Sun, 25 Aug 2019, m3047 wrote:
> On Sat, 24 Aug 2019, J Doe wrote:
>> [...] Is it possible to re-write a response on a reverse lookup ? For
>> instance, if I considered example.com a “bad domain”, can I write a RPZ
>> policy so that a reverse lookup of IP’s that map to example.com fails or
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> is blocked ?
>> [...]
> proposed actions local in scope? Do you run a local passive DNS oracle?)
Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR
lookup. The "reverse lookup of an IP mapping to example.com" is doing a
PTR lookup and matching it against example.com. I could be wrong
generally, but at least none of the RPZ features which I use generate
additional DNS traffic; an RPZ implementation which did would exceed my
personal threshold of least surprise.
You might consider taking discussion of this to the RPZ interest list or
searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
--
Fred Morris
More information about the bind-users
mailing list