Fwd: DNS Filter
Paul Vixie
paul at redbarn.org
Wed Dec 14 22:35:52 UTC 2016
another way to solve this is with rpz, which is now available for
unbound (farsight fastrpz for unbound: free of charge, not open source,
available to FSI-pDNS sensor operators or to commercial support
customers of opennetlabs.)
with rpz you could set up a policy zone that all of the unbound servers
in your recursive cloud subscribed to. in it you would say that
client-ip 0.0.0.0/0 and 0::/0 were disallowed (either drop all queries,
or always answer nxdomain, or always answer cname, or whatever) and then
add specific client-ip address blocks for your subscribers, with
passthru actions.
it's not exactly what rpz was designed for, but it would work.
and it makes me realize that we need a soft passthru: skip the other
rules in the current ruleset, and continue down the rpz zone list,
rather than continuing with policy-free resolution. after all, it's
possible you'd want your customers to be protected by real security-
related response policy.
https://dnsrpz.info/ has more information about rpz in general, which is
not encumbered at the specification level. i regret any offense given by
the mention of non-open-source technology here.
vixie
More information about the Unbound-users
mailing list