Saurabh: Not getting the answer with AAAA record. Error FORMERR resolving ' comes.

Tony Finch dot at
Mon Jun 4 10:16:00 UTC 2018

Cathy Almond <cathya at> wrote:
> My understanding of why RPZ by default queries for names that it's going
> to rewrite anyway, is that the lack of regular queries to the
> authoritative servers alerts the zone owners (who we assume are
> malicious or similar) to the fact that their zone is being blocked and
> queries for it are being rewritten - thus encouraging them to move
> sooner rather than later to a new name/zone.

Thinking about it further, the way this kind of leak can occur is if a
user visits a malicious web site which is only partially blocked; the bad
guys might then be able to work out that blocking has occurred - whether
by Safe Browsing blocks, or AV blocks, or RPZ blocks, etc. usw.

I think I prefer not to send traffic to malicious DNS servers if I can
avoid it, and rely on the threat intelligence bods to keep on top of
things (that's why we pay them the big bucks).

f.anthony.n.finch  <dot at>
the quest for freedom and justice can never end

More information about the bind-users mailing list