Paul Seward Paul.Seward at bristol.ac.uk
Wed Jan 27 09:44:37 UTC 2016

Hi all,

I'm experimenting with RPZ on a reasonably high volume resolver.  I've got
the following response-policy block defined:

response-policy {
    zone "local-whitelist.rpz" policy PASSTHRU;
    zone "local-blacklist.rpz" policy CNAME rpz-target.bris.ac.uk.;

This is working fine.  Domains listed in the local-whitelist.rpz zone
continue to resolve, and domains listed in the local-blacklist.rpz zone are
CNAMEd to rpz-target.bris.ac.uk as expected.

I'd like to be able to log hits to the blacklist (so that we can analyse
the logs to identify clients that might need remedial action) so I enabled
the following logging config:

channel rpz_log {
  file "/var/log/named/rpz.log" versions 10 size 20m;
  severity info;
  print-time yes;
  print-category yes;
  print-severity yes;
category rpz { rpz_log; };

However, that's a little over-chatty for my liking as it's logging every
hit to the whitelist, and on a busy resolver with lots of clients resolving
our local domain - the log volume is just too excessive!

As far as I can tell PASSTHRU is logged at the same severity level as other
policy types, but my bind logging fu is weak as I don't have to change the
logging config very often!

If I want to cut down the log volume to just the events I'm interested in,
is it possible to get bind to *not* log PASSTHRU hits?

Or is the only option for me to log RPZ hits via syslog and then get
rsyslog to drop the messages I'm not interested in?


Paul Seward,    Senior Systems Administrator,    University of Bristol
Paul.Seward at bristol.ac.uk  +44 (0)117 39 41148    GPG Key ID: E24DA8A2
GPG Fingerprint:    7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160127/e938e3ab/attachment.html>

More information about the bind-users mailing list