How reliable is RPZ in production? I'm seeing flakiness in testing.

[Anne Bennett]

Happy New Year, folks.

I posted last December to dnsfirewalls, but I'm told that RPZ
is no longer particularly new, and I'd be more likely to get
feedback here.  So here goes...

I'm playing with RPZ with a view to both quarantining internal
compromised or vulnerable hosts, and capturing attempts at
communication with known external bad hosts.  I start with a
fairly extensive whitelist, to avoid "lying" about any of my own
hosts, and to give truthful answers for patch sites, so that my
users can patch their systems even when otherwise quarantined.

The masters for my RPZs do not themselves use the zones
for policy (nor do they recurse on queries).  However the
nameservers that do recursive resolution for my network are
slaves for those RPZs, and *do* use them for policy.

My set-up works, but sporadically - it's as though the RPZs wink
in and out of use for no apparent reason, even when I'm not
changing the data.  At one point while testing last December,
my by-client-IP test quarantine rule just stopped matching
(based on no logged hits, and no redirection of my queries
from the quarantined host).  Only a restart of named on the
resolver brought the quarantine back, but then the whitelist
worked only partially.

I don't know what to make of this; it looks as though the
technology is several years old, and my experience with ISC
bind is usually excellent.  Has anyone else encountered this
type of flakiness?

If not, any advice about how to debug this?


Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285