Cathy Almond <cat...@isc.org> wrote: > > My understanding of why RPZ by default queries for names that it's going > to rewrite anyway, is that the lack of regular queries to the > authoritative servers alerts the zone owners (who we assume are > malicious or similar) to the fact that their zone is being blocked and > queries for it are being rewritten - thus encouraging them to move > sooner rather than later to a new name/zone.
Thinking about it further, the way this kind of leak can occur is if a user visits a malicious web site which is only partially blocked; the bad guys might then be able to work out that blocking has occurred - whether by Safe Browsing blocks, or AV blocks, or RPZ blocks, etc. usw. I think I prefer not to send traffic to malicious DNS servers if I can avoid it, and rely on the threat intelligence bods to keep on top of things (that's why we pay them the big bucks). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ the quest for freedom and justice can never end _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users