Brian Keifer <br...@valinor.net> wrote: > > The architecture I've been working with so far is a pair of front-end proxy > servers running keepalived to share a virtual IP and PowerDNS's dnsdist as > the actual proxy. The proxies set ECS to the client's IP address and pass > the request to one of four back-end caching BIND 9.12 servers.
I've sort of been waiting to see if Ray will reply to this question, since the general opinion seems to be that using ECS in this situation isn't a great idea, so it should be replaced by a different option: https://tools.ietf.org/html/draft-bellis-dnsop-xpf But that doesn't help with your immediate problem. > That all works beautifully, but when a client has one of their requests > rewritten based on a threat feed, we want to know about it so that we can > investigate/remediate that client. There are a couple of non-BIND ways that you might accomplish this: (1) Do the logging on the RPZ redirection target server. (2) Get dnsdist to log responses that have been rewritten by RPZ. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ public services available on equal terms to all _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
