Marki <bind-us...@lists.roth.lu> wrote: > > Concerning static-stub: Using a (bogus) forwarder together with "forward > first" (default) seems to work (Note: using "forward only" gives SERVFAIL). > All outside requests get a SERVFAIL even with "forward first" but that's an > esthetic problem.
Yes, SERVFAIL is ugly - I should have mentioned that. > I'm not sure about the flexibility of RPZ; it doesn't seem that I can > have rules like "client 1.2.3.4 is allowed to look up example.com but > client 1.2.3.5 is not". You can have multiple response-policy zones, which are matched in the order they are listed in the configuration. You could perhaps have a zone listed early that uses RPZ-CLIENT-IP triggers and a PASSTHRU policy for non-sandboxed clients, then have a zone containing QNAME triggers (with liberal use of wildcards) and PASSTHRU policy (again) for just the permitted internal names, and finally a catch-all zone (wildcard to match any qname) with an NXDOMAIN policy to deny external names for sandboxed clients. (You can equally well combine the first two into a single zone, depending on whether you want more single-purpose RPZs or fewer multi-purpose ones.) Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Forties, Cromarty, Forth: South or southeast 5 to 7, increasing gale 8 or severe gale 9 for a time. Slight or moderate, becoming rough later, occasionally very rough except in Forth. Rain. Good, becoming moderate or poor for a time. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users