Blocking private addresses with a optionq

Vernon Schryver vjs at
Thu Mar 14 19:26:26 UTC 2013

> From: "Lawrence K. Chen, P.Eng." <lkchen at>

> ... So, being able to filter out these 'bad' things when responding
> queries against that data might be a good thing.

RPZ might be used for such things.  However, by design RPZ rewrites
entire responses.  It is triggered by individual records in a response,
but changes the entire response and not just individual records within
the response.

To use RPZ for such filtering, you would probably use views with
a response-policy{} statement in the external view to be filtered.

The RPZ rules could be triggered by rpz-ip records for or
similar.  The rules might rewrite responses to a CNAME or to sets of
A and AAAA records suitable for outsiders.  That sounds a lot more
fragile and error prone than distinct zones for insiders and outsiders
specified in the view statements.  However, RPZ might be good as a
failsafe against leaks (perhaps rewriting to NXDOMAIN).

Vernon Schryver    vjs at

More information about the bind-users mailing list