[External] Re: Request assistance configuring RPZ
Carl Byington
carl at byington.org
Wed May 29 03:18:29 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, 2019-05-28 at 13:13 -0400, David Bank wrote:
> Perhaps I'm missing something, but I don't see how to make zurg reply
> with 192.168/16 IPs for andy and sid, but correctly resolve the rest
> of *.internal.local
On zurg, add a new dns zone rpz.ncdot.gov
============
$TTL 3600
rpz.ncdot.gov. IN SOA localhost. root.localhost. (
2019052800 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1H) ; minimum
IN NS localhost.
andy.internal.local IN A 192.168.10.10
sid.internal.local IN A 192.168.20.20
===========
Then in named.conf on zurg, add:
===========
response-policy { zone "rpz.ncdot.gov";}
qname-wait-recurse no;
===========
On zurg, all other names in internal.local will get the normal
processing, with answers via buzz. But when someone uses zurg to lookup
andy.internal.local, it will reply with 192.168.10.10 without even
asking buzz.
An alternative rpz mechanism it to allow zurg to query buzz, and then
have rpz rewrite the 10/8 address into 192.168/16. But if you have
multiple names that map to the same 10/8 address, and you only want some
of those names to resolve to 192.168/16, you will need to use the above
mechanism, which I think is simpler anyway.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlzt+e4ACgkQL6j7milTFsGjuQCbBsxNHh26aEGfhXzh4muEFcyN
a/UAn1w2mEs6WrUVjZ2oMMHA4MmDw+Fi
=D5Yv
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list