RPZ and DNS traffic on the server

Daniel Stirnimann daniel.stirnimann at switch.ch
Tue Feb 12 14:01:13 UTC 2019


Hello Alex,

> Is this expected behaviour? Is there any way to make the server avoid
> proceeding with the resolution, when the initial client requests is
> blocked?

Yes, this is expected behavior. You need "qname-wait-recurse no" to
change the behavior:

response-policy {
  zone "rpz-whitelist-lan";
  zone "rpz-blackhole";
} qname-wait-recurse no;

Be aware of the following limitation:

> The option does not affect QNAME or client-IP triggers in policy 
> zones listed after other zones containing IP, NSIP and NSDNAME 
> triggers, because those may depend on the A, AAAA, and NS records 
> that would be found during recursive resolution.
Source:
https://ftp.isc.org/isc/bind9/9.10.3/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar

Daniel



More information about the bind-users mailing list