Authority and forwarding, but not recursion/iteration
dot at dotat.at
Tue Mar 9 21:21:49 UTC 2021
Marki <bind-users at lists.roth.lu> wrote:
> Concerning static-stub: Using a (bogus) forwarder together with "forward
> first" (default) seems to work (Note: using "forward only" gives SERVFAIL).
> All outside requests get a SERVFAIL even with "forward first" but that's an
> esthetic problem.
Yes, SERVFAIL is ugly - I should have mentioned that.
> I'm not sure about the flexibility of RPZ; it doesn't seem that I can
> have rules like "client 22.214.171.124 is allowed to look up example.com but
> client 126.96.36.199 is not".
You can have multiple response-policy zones, which are matched in the
order they are listed in the configuration. You could perhaps have a zone
listed early that uses RPZ-CLIENT-IP triggers and a PASSTHRU policy for
non-sandboxed clients, then have a zone containing QNAME triggers (with
liberal use of wildcards) and PASSTHRU policy (again) for just the
permitted internal names, and finally a catch-all zone (wildcard to match
any qname) with an NXDOMAIN policy to deny external names for sandboxed
clients. (You can equally well combine the first two into a single zone,
depending on whether you want more single-purpose RPZs or fewer
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Forties, Cromarty, Forth: South or southeast 5 to 7, increasing gale 8 or
severe gale 9 for a time. Slight or moderate, becoming rough later,
occasionally very rough except in Forth. Rain. Good, becoming moderate or
poor for a time.
More information about the bind-users