RPZ for reverse lookups ?

Noel Butler noel.butler at ausics.net
Sun Aug 25 01:49:58 UTC 2019 

On 25/08/2019 06:56, J Doe wrote:

> Hello, 
> 
> I have a basic question regarding RPZ on Bind 9.11.x. 
> 
> Is it possible to re-write a response on a reverse lookup ?  For instance, if I considered example.com [1] a "bad domain", can I write a RPZ policy so that a reverse lookup of IP's that map to example.com [1] fails or is blocked ? 
> 
> I know I can do this with a forward lookup to generate NXDOMAIN: 
> 
> ; Forward resolution of: example.com [1] and subdomains generates: NXDOMAIN 
> 
> example.co [2]m        IN CNAME . 
> *.example.com [1]      IN CNAME . 
> 
> ...but can this also be done on reverse lookups ? 
> 
> Thanks,

This can have disastrous affects if this is for a public network given
shared hosting. 

An Australian govt dept (ASIC) ordered a s313 block on an IP couple
years back, turns out that IP supplied about 2K hosts, 99.9% all of
which were very legitimate, including many aussie businesses. 

And I still dont know whats worse, the clueless idiots in ASIC (who
thankfully have now due to that incident lost most that power), or the
clueless idiots in the ISP's networking who blindly accepted and enacted
the block. 

To put it in RFC terms for non aussies, s313 is a SHOULD, and  _not_ a
MUST. 
If theres genuine reason, ie mass collateral damage, you can lawfully
refuse to carry out such requests. 

-- 
Kind Regards, 

Noel Butler 

 		This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [3] and ODF [4] documents accepted, please do not send proprietary
formatted documents 

 

Links:
------
[1] http://example.com
[2] http://example.co
[3] http://www.adobe.com/
[4] http://en.wikipedia.org/wiki/OpenDocument
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190825/f0c6e44e/attachment.html>

More information about the bind-users mailing list