Well this is valid when users are directly talking to RPZ servers. What if there is one more resolver in between like Active Directory which itself acts as a DNS server? In that case I believe you don't need to do that, right?
On Fri, Aug 10, 2018 at 12:33 AM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 08/09/2018 01:01 AM, Lee wrote: > > yes, it works just fine > > Good. > > > it does, so you have to flag your local zones as rpz-passthru. eg: > > *.home.net CNAME rpz-passthru. > > localhost CNAME rpz-passthru. > > 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 > > 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 > > 12.0.0.16.172.rpz-ip CNAME . ; 172.16.0.0/12 > > 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 > > That makes sense. RPZ would filter the private IPs by default, but > zones with said records can be told to not be blocked by RPZ. > > Thank you for the clarification Lee. > > > > -- > Grant. . . . > unix || die > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
