Maintained by: NLnet Labs

Fwd: DNS Filter

Paul Vixie
Wed Dec 14 23:35:52 CET 2016


another way to solve this is with rpz, which is now available for
unbound (farsight fastrpz for unbound: free of charge, not open source,
available to FSI-pDNS sensor operators or to commercial support
customers of opennetlabs.)

with rpz you could set up a policy zone that all of the unbound servers
in your recursive cloud subscribed to. in it you would say that
client-ip 0.0.0.0/0 and 0::/0 were disallowed (either drop all queries,
or always answer nxdomain, or always answer cname, or whatever) and then
add specific client-ip address blocks for your subscribers, with
passthru actions.

it's not exactly what rpz was designed for, but it would work.

and it makes me realize that we need a soft passthru: skip the other
rules in the current ruleset, and continue down the rpz zone list,
rather than continuing with policy-free resolution. after all, it's
possible you'd want your customers to be protected by real security-
related response policy.

https://dnsrpz.info/ has more information about rpz in general, which is
not encumbered at the specification level. i regret any offense given by
the mention of non-open-source technology here.

vixie