Im running BIND for testing, and here is a part my RPZ:
example.com IN CNAME . ; local block against example.com
*.example.com IN CNAME . ; local block against example.com
When I query example.com it is blocked successfully:
dig @127.0.0.1 example.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28108
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com. IN A
;; ADDITIONAL SECTION:
rpz.local. 1 IN SOA localhost. need.to.know.only. 201702121 60 60 432000 60
but with no recursion, it goes through:
dig @127.0.0.1 example.com +norecurse
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59121
;; flags: qr ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 17130 IN A 93.184.216.34
I understand no recursion serves what is in the cache, but why does not it apply the RPZ to block the domain?
Also, why does the request even resolve? should it not block the DNS query at the beginning since the domain match the RPZ and returns as fast as possible?
I can see that PowerDNS optimized the thing to avoid resolution of the query if needed:
Doing so would require delaying evaluation of RPZ policies until the whole resolution process has been completed, which would mean that queries might have been sent to a malicious nameserver already, in addition to performance issues.
Im really curious to know the reason and if there is a way to block the query before the resolution.
