On Tue, 9 Aug 2022, sub zero wrote:
Short question, is it possible to filter with BIND RPZ only A and type
records? If yes, how?
A similar question was asked recently on the DNS Firewalls list at Redbarn
(http://lists.redbarn.org/pipermail/dnsfirewalls/)
Short answer is no, or at least not that I know of. But maybe sort of. You
can certainly return some RPZ generated answer (A record), but things like
e.g. NXDOMAIN and passthru are done with CNAME and apply to the FQDN.
I note that returning NXDOMAIN for an rtype and an answer for a different
rtype for the FQDN is not conformant with how the DNS is supposed to
behave (the conformant answer is success+ANSWER:0 not NXDOMAIN).
Short questions don't always result in short answers. ;-) You might try
the DNS Firewalls list, you might also see if you can come up with a
scenario and functional tests; that might help people give a better
answer.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
