Hi,
Thank you again for your time.
I wanted to provide some additional context and clarify a few key aspects
of my use case:
- I already maintain a large, pre-existing file containing comprehensive
domain categorization data.
- This file is updated externally and serves as the sole source of truth
for categorization decisions.
- As such, I do not wish to store any additional data within the plugin,
memory, or any BIND-internal structures.
- Instead, I want the plugin to dynamically query this data by calling
my existing C program or SDK, which reads and evaluates domains in real
time.
Desired Behavior
- On each DNS query, the plugin should:
1. Extract the domain from the query.
2. Call my categorization logic (via C function or subprocess).
3. Based on the result:
- *If High Risk*: Immediately stop further resolution and return a
custom response (e.g., a custom IP address).
- *Otherwise*: Allow the query to continue to upstream resolvers
as normal.
- The plugin will be handling a very high volume of DNS queries, so
performance is critical.
Best regards,
Monika
On Thu, Mar 20, 2025 at 10:25 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 3/19/25 10:02 AM, Ondřej Surý wrote:
> > Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a
> > way to add the classification to the message processing and then the RPZ
> > processing could read the classification and take an action?
>
> This sounds like my understanding of what the Response Policy Service
> (RPS) is supposed to achieve.
>
> "The DNS Response Policy Service (DNSRPS) API, is a mechanism to allow
> named to use an external response policy provider. This allows the same
> type of policy filtering as standard RPZ, but can reduce the workload
> for named, particularly when using large and frequently updated policy
> zones. It also enables named to share response policy providers with
> other DNS implementations such as Unbound. Thanks to Vernon Schryver
> and Farsight Security for the contribution."
>
> Link - BIND 9.12 development is getting closer to completion!
> - https://www.isc.org/blogs/bind-9-12-almost-ready/
>
> I have long considered RPS for DNS to be like the milter API for email.
>
>
>
> --
> Grant. . . .
> unix || die
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
