[Pdns-users] failover on NXDOMAIN
Brian Candler
b.candler at pobox.com
Fri Feb 7 12:09:46 UTC 2025
On 07/02/2025 11:51, Pavel Prostin wrote:
> Should I maintain RPZ records on this auxiliary server for internal
> hosts manually? My understanding is that RPZ only overrides responses
> and does not forward queries for unknown records.
RPZ overrides responses, but any RR which doesn't have an RPZ match is
processed in the normal way - whether you've configured the recursor to
do normal recursion, or to forward to 8.8.8.8, or whatever.
Yes, you'd have to manage the RPZ contents yourself, but you could do it
with a script (e.g. AXFR of the internal zone and convert it to an RPZ).
But equally, you could just fetch the two zones and merge them in a
script, and the proxy can have its own copy of the zone.
IMO what you're doing is security-through-obscurity, so I'm not going to
contribute further on this topic.
More information about the Pdns-users
mailing list