R: R: R: RPZ and client matching

Job Job at colliniconsulting.it
Fri May 15 15:32:24 UTC 2015

Hi Mukund!

I am very glad to try the features.

Is there a way to assign a policy-zone to a list of client ip without excluding/passing them through?
Simply assigning ip to RPZ policy zone!

Thank you,

Da: Mukund Sivaraman [muks at isc.org]
Inviato: venerdì 15 maggio 2015 17.16
A: Job
Cc: bind-users at lists.isc.org
Oggetto: Re: R: R: RPZ and client matching

Hi Job

On Fri, May 15, 2015 at 04:56:07PM +0200, Job wrote:
> Hello,
> very interesting feature:
> >>We have prepared a branch that adds an "rpz-skipzone." policy action
> >>that, when matched by the trigger, behaves as if the current policy zone
> >>is disabled, and proceeds to the next one. It is still in the early
> ><stages, but it may be released in 9.11.
> But, actually there is a feature called "rpz-passthru".
> It is similar or something different?

rpz-passthru. skips further RPZ processing when that trigger matches.
rpz-skipzone. skips to the next policy zone in order.

So, for example, you could have a zone that looks like this:


; move these specific clients to the next policy zone
32.z.y.x.w.rpz-client-ip IN CNAME rpz-skipzone.
32.d.c.b.a.rpz-client-ip IN CNAME rpz-skipzone.

; pass through all other addresses IN CNAME rpz-passthru.


; Handle clients that were moved here IN ...

Right now the branch has not been reviewed yet. Once it is reviewed,
I'll let you know and you can try it from the master branch of BIND.
(It will not be backported to 9.10 as it's a new feature that's not
essential for DNS.)


More information about the bind-users mailing list