Logging ECS information for RPZ rewrites

Brian Keifer brian at valinor.net
Wed May 16 01:23:45 UTC 2018

I'm working on creating a highly-available group of BIND servers to serve
as caching nameservers with RPZs built from various threat intel feeds to
help prevent unwanted activity on our network.

The architecture I've been working with so far is a pair of front-end proxy
servers running keepalived to share a virtual IP and PowerDNS's dnsdist as
the actual proxy.  The proxies set ECS to the client's IP address and pass
the request to one of four back-end caching BIND 9.12 servers.

That all works beautifully, but when a client has one of their requests
rewritten based on a threat feed, we want to know about it so that we can
investigate/remediate that client.

When the rewrites are logged via the 'rpz' category, they're logged with
the IP address of the proxy, not the client.  I can get the ECS information
in the query log, but there's nothing in the query log (or is there?) that
indicates that a query was rewritten.

Is there any way to get the ECS information in the RPZ log?  Failing that,
suggestions on how to accomplish this would be greatly appreciated.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180515/b54b3e4f/attachment.html>

More information about the bind-users mailing list