Servfail queries for named remote authoritative nameservers?

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jun 8 07:47:07 UTC 2019


On Fri, Jun 07, 2019 at 11:53:00PM -0700, Darren S. wrote:

> > Is it possible to quickly SERVFAIL queries for data handled by a
> > particular set of remote nameservers?
> >
> > I tried a combination of:
> >
> >         local-data: "some-ns.example. IN A 127.0.0.1"
> >         do-not-query-address: 127.0.0.0/8
> >
> > but I still see queries going to the underlying remote IPs, the
> > "local-data" setting does not appear to affect the infra-IP resolution
> > for the zones served by the server in question.
> 
> Sorry for answering with a question, but would DNS RPZ work in this
> case for what you're describing?

I don't think so.  I am trying to avoid two namesevers that serve
thousands of unwanted domains.  I don't have a list of said domains,
but I do know the names of the two nameservers to avoid.  I don't
know how RPZ would help, unless RPZ can do what local-data seems
unable to do, and inject IPs that trump the glue (or authoritative)
A records for the nameservers of the unwanted domains.

-- 
	Viktor.



More information about the Unbound-users mailing list