On 8/9/18, Grant Taylor via bind-users <bind-users@lists.isc.org> wrote: > On 08/08/2018 10:02 PM, Blason R wrote: >> Due to the architecture since I have my internal DNS RPZ built I wanted >> my other internal DNS servers should send traffic to RPZ server and >> then RPZ would resolve on behalf of client. > > Speaking of PRZ and forwarding… > > Does anyone know off hand if BIND, with RPZ configured to filter answers > that resolve to private IPs, can actually respond with private answers > from a local authoritative zone?
yes, it works just fine > My long standing fear is that RPZ would filter replies from local > authoritative zones. it does, so you have to flag your local zones as rpz-passthru. eg: *.home.net CNAME rpz-passthru. localhost CNAME rpz-passthru. 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 12.0.0.16.172.rpz-ip CNAME . ; 172.16.0.0/12 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 Regards, Lee _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
