<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p class="p1">Ondřej,</p>
<p class="p1">I usually include <span class="s1"><b>qname-wait-recurse
no</b></span> after the <b><span class="s1">response-policy {
... }</span> </b>block, hoping to avoid issues where
SERVFAILs, lame delegations, or firewalled authoritative servers
might interfere with RPZ responses. I’m not entirely sure if I’m
just being a bit <i>superstitious</i> about that — but I wanted
to mention it in the context of the setup you described, which
uses A and AAAA RRs (rather than CNAMEs or RPZ-SUFFIX rules).
Perhaps <span class="s1">qname-wait-recurse</span> has a
different impact in this case.</p>
<p class="p1">I’ve always found it puzzling when a SERVFAIL appears
in the logs just <i>before</i> a “CNAME .” redirection is
applied, which makes me wonder if using A/AAAA redirection to
127.0.0.1 is ultimately more robust.</p>
<p class="p1">Apologies if this adds noise to the thread — feel free
to disregard if not relevant.</p>
<p class="p1">Best regards,</p>
<p class="p1">Carlos Horowicz</p>
<p class="p1">Planisys</p>
<p></p>
<div class="moz-cite-prefix">On 01/07/2025 21:00, Ondřej Surý wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2E87D4DB-D04B-4BD9-982D-22F69DA99E45@isc.org">
<pre wrap="" class="moz-quote-pre">You'll have to experiment a bit (and I mean read the documentation[1]) as I am writing this from top of my head,
1. You need to create RPZ zone like this:
$TTL 604800
$ORIGIN adaway.rpz.
@ IN SOA localhost. root.localhost. (1 604800 86400 2419200 604800 )
@ IN NS localhost.
ad-assets.futurecdn.net A 127.0.0.1
ad-assets.futurecdn.net AAAA ::1
[...]
I've used this command:
( echo "@ IN SOA localhost. root.localhost. (1 604800 86400 2419200 604800 )"; echo "@ IN NS localhost." ; cat named_adaway.conf | cut -f 2 -d ' ' | while read D; do echo "$D IN A 127.0.0.1"; echo "$D IN AAAA ::1"; echo "*.$D IN A 127.0.0.1"; echo "*.$D IN AAAA ::1"; done ) > adaway.rpz.db
2. Add the RPZ zone to your named.conf
zone adaway.rpz {
type primary;
file "/<PATH_TO>/adaway.rpz.db";
allow-query { localhost; };
};
3. Add the response-policy to your options {} in named.conf
options {
[...]
response-policy { zone adaway.rpz; } break-dnssec yes;
[...]
};
And the memory usage on 9.20 is now mere 450MB:
PID User Command Swap USS PSS RSS
514700 ondrej /home/ondrej/Projects/bind9 0 451684 452652 461872
$ dig +short -p 12345 @::1 ad-assets.futurecdn.net.
127.0.0.1
$ dig +short -p 12345 @::1 foo.ad-assets.futurecdn.net.
127.0.0.1
1. <a class="moz-txt-link-freetext" href="https://bind9.readthedocs.io/en/v9.20.10/reference.html#response-policy-zone-rpz-rewriting">https://bind9.readthedocs.io/en/v9.20.10/reference.html#response-policy-zone-rpz-rewriting</a>
--
Ondřej Surý (He/Him)
<a class="moz-txt-link-abbreviated" href="mailto:ondrej@isc.org">ondrej@isc.org</a>
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On 1. 7. 2025, at 20:40, OwN-3m-All <a class="moz-txt-link-rfc2396E" href="mailto:own3mall@gmail.com"><own3mall@gmail.com></a> wrote:
Also, 127.0.0.1 (localhost) needs to be returned for these hosts, not a NXDOMAIN response. Would that impact it?
--
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
</pre>
</blockquote>
</body>
</html>