Is it possible to quickly SERVFAIL queries for data handled by a
particular set of remote nameservers?
I tried a combination of:
local-data: "some-ns.example. IN A 127.0.0.1"
do-not-query-address: 127.0.0.0/8
but I still see queries going to the underlying remote IPs, the
"local-data" setting does not appear to affect the infra-IP resolution
for the zones served by the server in question.
Sorry for answering with a question, but would DNS RPZ work in this
case for what you're describing?
I don't think so. I am trying to avoid two namesevers that serve
thousands of unwanted domains. I don't have a list of said domains,
but I do know the names of the two nameservers to avoid. I don't
know how RPZ would help, unless RPZ can do what local-data seems
unable to do, and inject IPs that trump the glue (or authoritative)
A records for the nameservers of the unwanted domains.
Viktor Dukhovni via Unbound-users <unbound-users@nlnetlabs.nl>:
Is it possible to quickly SERVFAIL queries for data handled by a
particular set of remote nameservers?
Just specifying IP addresses of bad nameservers to “do-not-query-address:” effectively prevents iterator to send queries to these servers.
do-not-query-address: 192.0.2.1 # bad nameserver
I don’t know how to specify bad nameservers directly by hostname. Your configuration won’t work since “local-data” clause won’t inject data to iterator. Running script which makes do-not-query-address configuration from list of hostnames and reloading periodically would satisfy your requirement.
Perhaps not exactly your imagined methodology, but very similar:
https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.4
https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.5
/P
...
I don't think so. I am trying to avoid two namesevers that serve
thousands of unwanted domains. I don't have a list of said domains,
but I do know the names of the two nameservers to avoid. I don't
know how RPZ would help, unless RPZ can do what local-data seems
unable to do, and inject IPs that trump the glue (or authoritative)
A records for the nameservers of the unwanted domains.
if you're trying to poison the addresses of nameservers used by downstream recursives (so, you're a forwarder) this is not RPZ's strength.
if you're trying to avoid using name servers in your own recursive, because you hate everything they host or ever will host, then RPZ can do exactly what you want, using a .rpz-nsip or .rpz-nsdname trigger.
Perhaps not exactly your imagined methodology, but very similar:
https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.4
https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.5
yes.
>> I don't think so. I am trying to avoid two namesevers that serve
>> thousands of unwanted domains. I don't have a list of said domains,
>> but I do know the names of the two nameservers to avoid. I don't
>> know how RPZ would help, unless RPZ can do what local-data seems
>> unable to do, and inject IPs that trump the glue (or authoritative)
>> A records for the nameservers of the unwanted domains.if you're trying to poison the addresses of nameservers used by
downstream recursives (so, you're a forwarder) this is not RPZ's strength.
No, that's not the goal.
if you're trying to avoid using name servers in your own recursive,
because you hate everything they host or ever will host, then RPZ can do
exactly what you want, using a .rpz-nsip or .rpz-nsdname trigger.
By nameserver name is what I'm after, but AFAIK my unbound 1.9.1 has
no RPZ support, so I guess I'll just to go with "do-not-query-address"
for now.