Happy New Year, folks. I posted last December to dnsfirewalls, but I'm told that RPZ is no longer particularly new, and I'd be more likely to get feedback here. So here goes...
I'm playing with RPZ with a view to both quarantining internal compromised or vulnerable hosts, and capturing attempts at communication with known external bad hosts. I start with a fairly extensive whitelist, to avoid "lying" about any of my own hosts, and to give truthful answers for patch sites, so that my users can patch their systems even when otherwise quarantined. The masters for my RPZs do not themselves use the zones for policy (nor do they recurse on queries). However the nameservers that do recursive resolution for my network are slaves for those RPZs, and *do* use them for policy. My set-up works, but sporadically - it's as though the RPZs wink in and out of use for no apparent reason, even when I'm not changing the data. At one point while testing last December, my by-client-IP test quarantine rule just stopped matching (based on no logged hits, and no redirection of my queries from the quarantined host). Only a restart of named on the resolver brought the quarantine back, but then the whitelist worked only partially. I don't know what to make of this; it looks as though the technology is several years old, and my experience with ISC bind is usually excellent. Has anyone else encountered this type of flakiness? If not, any advice about how to debug this? Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca +1 514 848-2424 x2285 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users