On 19/06/08 09:47, Viktor Dukhovni via Unbound-users wrote: > On Fri, Jun 07, 2019 at 11:53:00PM -0700, Darren S. wrote: > >>> Is it possible to quickly SERVFAIL queries for data handled by a >>> particular set of remote nameservers? >>> >>> I tried a combination of: >>> >>> local-data: "some-ns.example. IN A 127.0.0.1" >>> do-not-query-address: 127.0.0.0/8 >>> >>> but I still see queries going to the underlying remote IPs, the >>> "local-data" setting does not appear to affect the infra-IP resolution >>> for the zones served by the server in question. >> Sorry for answering with a question, but would DNS RPZ work in this >> case for what you're describing? > I don't think so. I am trying to avoid two namesevers that serve > thousands of unwanted domains. I don't have a list of said domains, > but I do know the names of the two nameservers to avoid. I don't > know how RPZ would help, unless RPZ can do what local-data seems > unable to do, and inject IPs that trump the glue (or authoritative) > A records for the nameservers of the unwanted domains.
Perhaps not exactly your imagined methodology, but very similar: https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.4 https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.5 /P
