SERVFAIL takes precedence before RPZ policy action
Daniel Stirnimann
daniel.stirnimann at switch.ch
Fri Sep 2 14:22:14 UTC 2016
Hi all
We maintain a block list with RPZ on our BIND resolvers. I noticed that
the RPZ policy action does not apply for domain names which SERVFAIL
(i.e. cannot be resolved by the resolver because of a timeout, lame
delegation etc.).
This happens on both BIND 9.11.0rc1 and 9.9.9-P2.
Our default RPZ policy is to redirect to a landing page. This has the
advantage that we can log additional information. If the RPZ policy does
not take place, we lose this information.
Example domain name which servfails. Dead CnC secpressnetwork[.]com [1]
Is this a bug in the RPZ processing or is there a logical explanation
I'm missing?
Daniel
[1]
https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
More information about the bind-users
mailing list