Servfail queries for named remote authoritative nameservers?

Fredrik Pettai pettai at sunet.se
Sat Jun 8 21:48:59 UTC 2019


On 19/06/08 09:47, Viktor Dukhovni via Unbound-users wrote:
> On Fri, Jun 07, 2019 at 11:53:00PM -0700, Darren S. wrote:
>
>>> Is it possible to quickly SERVFAIL queries for data handled by a
>>> particular set of remote nameservers?
>>>
>>> I tried a combination of:
>>>
>>>         local-data: "some-ns.example. IN A 127.0.0.1"
>>>         do-not-query-address: 127.0.0.0/8
>>>
>>> but I still see queries going to the underlying remote IPs, the
>>> "local-data" setting does not appear to affect the infra-IP resolution
>>> for the zones served by the server in question.
>> Sorry for answering with a question, but would DNS RPZ work in this
>> case for what you're describing?
> I don't think so.  I am trying to avoid two namesevers that serve
> thousands of unwanted domains.  I don't have a list of said domains,
> but I do know the names of the two nameservers to avoid.  I don't
> know how RPZ would help, unless RPZ can do what local-data seems
> unable to do, and inject IPs that trump the glue (or authoritative)
> A records for the nameservers of the unwanted domains.

Perhaps not exactly your imagined methodology, but very similar:

https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.4

https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.5

/P





More information about the Unbound-users mailing list