On 07/02/2025 11:51, Pavel Prostin wrote:
Should I maintain RPZ records on this auxiliary server for internal hosts manually? My understanding is that RPZ only overrides responses and does not forward queries for unknown records.
RPZ overrides responses, but any RR which doesn't have an RPZ match is processed in the normal way - whether you've configured the recursor to do normal recursion, or to forward to 8.8.8.8, or whatever.
Yes, you'd have to manage the RPZ contents yourself, but you could do it with a script (e.g. AXFR of the internal zone and convert it to an RPZ). But equally, you could just fetch the two zones and merge them in a script, and the proxy can have its own copy of the zone.
IMO what you're doing is security-through-obscurity, so I'm not going to contribute further on this topic.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
