Servfail queries for named remote authoritative nameservers?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jun 8 07:47:07 UTC 2019
On Fri, Jun 07, 2019 at 11:53:00PM -0700, Darren S. wrote:
> > Is it possible to quickly SERVFAIL queries for data handled by a
> > particular set of remote nameservers?
> >
> > I tried a combination of:
> >
> > local-data: "some-ns.example. IN A 127.0.0.1"
> > do-not-query-address: 127.0.0.0/8
> >
> > but I still see queries going to the underlying remote IPs, the
> > "local-data" setting does not appear to affect the infra-IP resolution
> > for the zones served by the server in question.
>
> Sorry for answering with a question, but would DNS RPZ work in this
> case for what you're describing?
I don't think so. I am trying to avoid two namesevers that serve
thousands of unwanted domains. I don't have a list of said domains,
but I do know the names of the two nameservers to avoid. I don't
know how RPZ would help, unless RPZ can do what local-data seems
unable to do, and inject IPs that trump the glue (or authoritative)
A records for the nameservers of the unwanted domains.
--
Viktor.
More information about the Unbound-users
mailing list