Finer control over REFUSED, e.g. root referrals

Michael Richardson mcr at sandelman.ca
Mon Sep 8 14:42:44 UTC 2025 

Fred Morris <m3047 at m3047.net> wrote:
    > It needs to recurse to gather the data which it is intended to deliver.
    > It also runs RPZ configured as a WAF ("web application firewall". I
    > know, this is DNS. deal with the cognitive dissonance, starting with the
    > fact that RPZ is referred to as a "DNS firewall" pretty much everywhere)
    > so that only specific, pre-determined queries are allowed. I don't run
    > RRL, I have other measures.

Does this work:
     * turn off recursion on the "front" facing server.
     * use forwarders to forward to an internally facing server that does
       have recursion on.  This can be an alias on lo.  It could even be a view.

I'm not sure if will really work.... reads Bind9-doc..

   "Forwarding can also be configured on a per-domain basis, allowing for the
   global forwarding options to be overridden in a variety of
   ways. Particular domains can be set to use different forwarders, or have a
   different forward only/first behavior, or not forward at all; see zone."

I'm unclear if forwarding is allowed when not recursing.
Given that this DNS server is not serving a zone which needs to be publically
reachable, the concern about an attacker pointing a zone at your server, and
then setting off timeouts elsewhere seems less of a problem.
As I understand it, your WAF is the only client for this redis data?
Why can't your ACL things out?  Even if you have to acceptlist all of EC2 or
something, that would still be a win right?

The second question is why your front-end DNS isn't a secondary for all of
these zones?  Is rkvdns incapable of that?

    > The more I think about it, RPZ is the best option; I don't know why it's
    > incapable of returning REFUSED. Seems like an oversight to me. But if I
    > have to hack the server, I might as well make it so that it returns AA
    > in bailiwick, as well as REFUSED out of bailiwick. I don't need to do
    > that yet. The server is not in The DNS, so it is technically correct
    > declaring itself as root. I'm trying to be proactive here because other
    > people are starting to run this, and you know how things happen.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250908/f796f525/attachment-0001.sig>

More information about the bind-users mailing list