Re: Authority and forwarding, but not recursion/iteration

Tue, 16 Mar 2021 18:42:25 -0700 

Hammers and nails...

On Tue, 16 Mar 2021, Marki wrote:

On 3/13/2021 12:11 AM, Tony Finch wrote:

 Marki <bind-us...@lists.roth.lu> wrote:

 But if you need granular filtering, that could become a lot of views...

 Yes, I think RPZ is really designed to be a ban hammer [...]


Standard DNS server software (not only Bind)


Is RPZ "standard" now? I know that the US Govt is now calling it "PDNS"...


does not provide for easy 
whitelist filtering, only blacklists seem to be "en vogue".



Not true at all. There are large cesspools of compute which I block by 
default and selectively whitelist into with RPZ.



This requires (and it should be SOP) two local RPZs, a whitelist followed 
by a blacklist. If it's in the whitelist it's shiny otherwise it gets 
filtered by the RPZ dedicated to replicating the coldest regions of 
interstellar space.



The cesspools in particular are handled via CNAME chains. That seems to be 
SOP, too. So images.example.com is a CNAME to random.cesspool-example.com. 
In the second list there is a catchall for *.cesspool-example.com which 
rewrites it all NXDOMAIN. Because I like example.com, I put a rule in the 
first list to leave *.example.com alone. (This does a really good job with 
third party cookies before they even get to the browser.)



In fact, this should be SOP: whenever you use cesspool compute or servers, 
CNAME it from your actual domain m'kay?



Granted there are some people who cleverly use random.cesspool-example.com 
in their dynamically generated pages. So clever. Ooops, not so much. In 
fact, this blocks stuff I never even thought of blocking but am glad I 
did!



There can also be issues with TTLs, where you had something in a compute 
cesspool blocked and then you created an exception for it, and it won't 
resolve until the TTL expires. I solve that locally by disabling local 
cache: all stub resolver queries (getaddrinfo() I'm looking at you!) get 
sent to the local recursive/caching resolver by disabling nscd or 
rewriting TTLs if necessary.



For extra credit you can hunt nameservers, although that's perhaps better 
handled in the mail filtering pipeline, which is where it really seems to 
matter.


--

Fred Morris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users























					Reply via email to