> From: "Lawrence K. Chen, P.Eng." <[email protected]>
> ... So, being able to filter out these 'bad' things when responding
> queries against that data might be a good thing.
RPZ might be used for such things. However, by design RPZ rewrites
entire responses. It is triggered by individual records in a response,
but changes the entire response and not just individual records within
the response.
To use RPZ for such filtering, you would probably use views with
a response-policy{} statement in the external view to be filtered.
The RPZ rules could be triggered by rpz-ip records for 10.0.0.0/8 or
similar. The rules might rewrite responses to a CNAME or to sets of
A and AAAA records suitable for outsiders. That sounds a lot more
fragile and error prone than distinct zones for insiders and outsiders
specified in the view statements. However, RPZ might be good as a
failsafe against leaks (perhaps rewriting to NXDOMAIN).
Vernon Schryver [email protected]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
