Saurabh: Not getting the answer with AAAA record. Error FORMERR resolving 'gim8.pl/AAAA/IN comes.
dot at dotat.at
Mon Jun 4 10:16:00 UTC 2018
Cathy Almond <cathya at isc.org> wrote:
> My understanding of why RPZ by default queries for names that it's going
> to rewrite anyway, is that the lack of regular queries to the
> authoritative servers alerts the zone owners (who we assume are
> malicious or similar) to the fact that their zone is being blocked and
> queries for it are being rewritten - thus encouraging them to move
> sooner rather than later to a new name/zone.
Thinking about it further, the way this kind of leak can occur is if a
user visits a malicious web site which is only partially blocked; the bad
guys might then be able to work out that blocking has occurred - whether
by Safe Browsing blocks, or AV blocks, or RPZ blocks, etc. usw.
I think I prefer not to send traffic to malicious DNS servers if I can
avoid it, and rely on the threat intelligence bods to keep on top of
things (that's why we pay them the big bucks).
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
the quest for freedom and justice can never end
More information about the bind-users