Selective filtering of multi-address answers
Kevin Darcy
kcd at chrysler.com
Mon Jun 11 20:23:05 UTC 2012
**Configure sortlists to push those bad A records to the end of the
response. This may on the surface seem like a kludge, but remember, the
whole point of sortlists is to give preference to certain addresses over
others, and IMO, a working/reachable address is "preferred" over one
that isn't working or isn't reachable :-)
- Kevin
On 6/9/2012 11:23 PM, Andris Kalnozols wrote:
> I have the following issue:
>
> * A domain name which our organization does not control is used
> for authentication. It returns 40 A records which point to
> various MS Active Directory servers throughout the company.
>
> * A few of these A records point to non-functioning hosts and
> cause delays for clients which have the bad luck to encounter
> a bad server as the first A record in their DNS response.
>
> The BIND 9.9.1 ARM describes two methods of content filtering:
>
> deny-answer-addresses
> ---------------------
> This is an all-or-nothing feature that returns a SERVFAIL response
> if *any* address in its match list is returned in the answer
> section. No selective filtering seems possible.
>
> response-policy
> ---------------
> I configured a simple RPZ as follows:
>
> options {
> ...
> response-policy (zone "hpl-rpz"; };
> };
> zone "hpl-rpz" {
> type master;
> file "db.hpl-rpz";
> allow-query { localhost; };
> };
>
> The RPS zone has the following policy records:
>
> 32.121.184.205.16.rpz-ip CNAME *. ; NODATA
> 32.24.52.228.16.rpz-ip CNAME *.
> 8.0.0.0.16.rpz-ip CNAME 8.0.0.0.16. ; PASSTHRU
>
> Again, this functions as an all-or-nothing filter with or without
> the passthru record. A NODATA response is returned for the domain
> name instead of an answer with 38 good A records.
>
> I don't want to go down the road of hardcoding my resolvers to be
> authoritative for this domain name. Is RPZ or some other BIND
> feature capable of telling little white lies of omission or just
> big whoppers when it comes to domain names with multiple addresses?
>
> ------
> Andris
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120611/2475c9c5/attachment.html>
More information about the bind-users
mailing list