It is a well known behaviour. This is the way how your DNS client works (not DNS server). Get rid of the search list or block requests to the domains in the search lists by RPZ (e.g. if it is pushed by ISP). BR, Vadim >Четверг, 3 сентября 2020, 19:04 +03:00 от Fred Morris <m3...@m3047.net>: > >It comes to my attention that when an unresolvable query occurs, it gets >forwarded to the authoritative zone regardless of anything I can set in >named.conf. Closest I can come is qname-wait-recurse which has the opposite >effect sort of, namely waiting for recursion to complete. If I have something >in an RPZ, I want it to accept that; period, full stop, no outwardly visible >effects. >Ironically the text surrounding this option in the ARM is to the effect that >"... not resolving the requested name can leak the fact that response policy >rewriting is in use..." and leaking the fact that it is in use by not leaking >the query in the first place is what I'm trying to achieve: how do I disable >the (useless) resolution directed at upstream servers? >Here is a use case: >* A search list is in place for example.com. This means that if "foo.bar" >fails to resolve then "foo.bar.example.com" will be tried, followed by >"foo.bar.com". >* In addition to the foregoing a rule is placed in the RPZ that >"com.example.com" and "*.com.example.com" are NXDOMAIN. >* An additional rule is present in the RPZ that "my-outhouse-example.com" is >NXDOMAIN. >In this case: >* "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!) >* There should be no upstream (pointless) query for >my-outhouse-example.com.example.com. (oops!) >Let's stop the leaks. >-- >Fred Morris > >_______________________________________________ >DNSfirewalls mailing list >dnsfirewa...@lists.redbarn.org >http://lists.redbarn.org/mailman/listinfo/dnsfirewalls >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
