RPZ and DNS traffic on the server
Daniel Stirnimann
daniel.stirnimann at switch.ch
Tue Feb 12 14:01:13 UTC 2019
Hello Alex,
> Is this expected behaviour? Is there any way to make the server avoid
> proceeding with the resolution, when the initial client requests is
> blocked?
Yes, this is expected behavior. You need "qname-wait-recurse no" to
change the behavior:
response-policy {
zone "rpz-whitelist-lan";
zone "rpz-blackhole";
} qname-wait-recurse no;
Be aware of the following limitation:
> The option does not affect QNAME or client-IP triggers in policy
> zones listed after other zones containing IP, NSIP and NSDNAME
> triggers, because those may depend on the A, AAAA, and NS records
> that would be found during recursive resolution.
Source:
https://ftp.isc.org/isc/bind9/9.10.3/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar
Daniel
More information about the bind-users
mailing list