On 8/9/18, Grant Taylor via bind-users <bind-users@lists.isc.org> wrote:
> On 08/08/2018 10:02 PM, Blason R wrote:
>> Due to the architecture since I have my internal DNS RPZ built I wanted
>> my other internal  DNS servers should send traffic to RPZ server and
>> then RPZ would resolve on behalf of client.
>
> Speaking of PRZ and forwarding…
>
> Does anyone know off hand if BIND, with RPZ configured to filter answers
> that resolve to private IPs, can actually respond with private answers
> from a local authoritative zone?

yes, it works just fine

> My long standing fear is that RPZ would filter replies from local
> authoritative zones.

it does, so you have to flag your local zones as rpz-passthru.  eg:
*.home.net              CNAME   rpz-passthru.
localhost               CNAME   rpz-passthru.
8.0.0.0.127.rpz-ip      CNAME   .       ;  127.0.0.0/8
8.0.0.0.10.rpz-ip       CNAME   .       ;   10.0.0.0/8
12.0.0.16.172.rpz-ip    CNAME   .       ;  172.16.0.0/12
16.0.0.168.192.rpz-ip   CNAME   .       ;  192.168.0.0/16

Regards,
Lee
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to