Authority and forwarding, but not recursion/iteration
m3047 at m3047.net
Wed Mar 17 01:41:45 UTC 2021
Hammers and nails...
On Tue, 16 Mar 2021, Marki wrote:
> On 3/13/2021 12:11 AM, Tony Finch wrote:
>> Marki <bind-users at lists.roth.lu> wrote:
>>> But if you need granular filtering, that could become a lot of views...
>> Yes, I think RPZ is really designed to be a ban hammer [...]
> Standard DNS server software (not only Bind)
Is RPZ "standard" now? I know that the US Govt is now calling it "PDNS"...
> does not provide for easy
> whitelist filtering, only blacklists seem to be "en vogue".
Not true at all. There are large cesspools of compute which I block by
default and selectively whitelist into with RPZ.
This requires (and it should be SOP) two local RPZs, a whitelist followed
by a blacklist. If it's in the whitelist it's shiny otherwise it gets
filtered by the RPZ dedicated to replicating the coldest regions of
The cesspools in particular are handled via CNAME chains. That seems to be
SOP, too. So images.example.com is a CNAME to random.cesspool-example.com.
In the second list there is a catchall for *.cesspool-example.com which
rewrites it all NXDOMAIN. Because I like example.com, I put a rule in the
first list to leave *.example.com alone. (This does a really good job with
third party cookies before they even get to the browser.)
In fact, this should be SOP: whenever you use cesspool compute or servers,
CNAME it from your actual domain m'kay?
Granted there are some people who cleverly use random.cesspool-example.com
in their dynamically generated pages. So clever. Ooops, not so much. In
fact, this blocks stuff I never even thought of blocking but am glad I
There can also be issues with TTLs, where you had something in a compute
cesspool blocked and then you created an exception for it, and it won't
resolve until the TTL expires. I solve that locally by disabling local
cache: all stub resolver queries (getaddrinfo() I'm looking at you!) get
sent to the local recursive/caching resolver by disabling nscd or
rewriting TTLs if necessary.
For extra credit you can hunt nameservers, although that's perhaps better
handled in the mail filtering pipeline, which is where it really seems to
More information about the bind-users