Hi all, I have a RPZ setup to whitelist several domains. The issue I am facing is that, even though domains are blocked, the cashing DNS server still proceeds to resolve the domain. The bahavior that I was hoping to see is the server to not bother resolving the domain if the RPZ policy replies with NXDOMAIN (domain does not exist).
The bind I am running is 9.10.3. I have the following configuration: options { directory "/var/cache/bind"; allow-recursion { localhost; auth; }; allow-query { localhost; }; allow-transfer { "none"; }; querylog yes; forwarders { 208.67.222.222; 208.67.220.220; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; view "lan" { match-clients { lan; }; allow-query-cache { localhost; lan; }; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; }; "lan" and "auth" are defined ACLs. The RPZ policies and zones are loaded from /etc/bind/named.conf.local, as below: response-policy { zone "rpz-whitelist-lan"; zone "rpz-blackhole"; }; zone "rpz-whitelist-lan" { type master; file "/var/cache/bind/rpz-whitelist-lan.db"; allow-query { none; }; allow-transfer { none; }; }; zone "rpz-blackhole" { type master; file "/var/cache/bind/rpz-blackhole.db"; allow-query { none; }; allow-transfer { none; }; }; The content of the rpz-whitelist-lan zone are: $TTL 1 @ IN SOA localhost. root.localhost. ( 2019021107 ; Serial 3H ; Refresh 1H ; Retry 1W ; Expire 60 ) ; Negative Cache TTL IN NS localhost. ; whitelist google.com IN CNAME rpz-passthru. eset.com IN CNAME rpz-passthru. while the content of the rpz-blackhole is: $TTL 60 @ IN SOA localhost. root.localhost. ( 2019021107 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1H) ; minimum IN NS localhost. * CNAME . The configuration is ok, and the whitelisting is functioning as expected, but I see that the DNS server still generates DNS traffic when querying domains that are not listed in the whitelist, while the client correctly received "domain does not exist". Is this expected behaviour? Is there any way to make the server avoid proceeding with the resolution, when the initial client requests is blocked? Thanx, Alex
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users