From 5e868be3cc644b89c89aceb56b3e2b9fcc3ebf2a Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 26 Aug 2022 09:20:02 +0000 Subject: [PATCH] Update RPZ documentation The RPZ documentation section with response policy rules and actions is incomplete. Add information about the 'RPZ-CLIENT-IP' rule, and 'TCP-Only' and 'DROP' actions. (cherry picked from commit 0fbd07ac2214cb830715391850934fc149541588) --- doc/arm/rpz.inc.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/arm/rpz.inc.rst b/doc/arm/rpz.inc.rst index 56c9fa65ab..18349540a6 100644 --- a/doc/arm/rpz.inc.rst +++ b/doc/arm/rpz.inc.rst @@ -39,10 +39,11 @@ feeds," or both. :iscman:`named` can subscribe to up to 64 Response Policy Zones, each of which encodes a separate policy rule set. Each rule is stored in a DNS resource record set (RRset) within the RPZ, and consists of a **trigger** and an -**action**. There are four types of triggers and four types of actions. +**action**. There are five types of triggers and six types of actions. A response policy rule in a DNS RPZ can be triggered as follows: +- by the IP address of the client - by the query name - by an address which would be present in a truthful response - by the name or address of an authoritative name server responsible for @@ -53,6 +54,9 @@ A response policy action can be one of the following: - to synthesize a "domain does not exist" (NXDOMAIN) response - to synthesize a "name exists but there are no records of the requested type" (NODATA) response +- to drop the response +- to switch to TCP by sending a truncated UDP response that requires the + DNS client to try again with TCP - to replace/override the response's data with specific data (provided within the response policy zone) - to exempt the response from further policy processing