[dns-operations] use-application-dns.net
Pieter Lexis
pieter.lexis at powerdns.com
Mon Sep 9 16:33:54 UTC 2019
Hi Thomas,
On 9/9/19 12:50 PM, Thomas Mieslinger wrote:
> I recognized that requiring a NXDOMAIN reply is somewhat complicated:
>
> - If I point use-application-dns.net to a Nameserver where the zone is
> not loaded, a REFUSED will be replied
>
> - If I point use-application-dns.net to Nameserver where a zone file
> for use-application-dns.net is loaded, but no A or AAAA existing zone
> file at the apex, a reply with the SOA and state NOERROR will constructed.
>
> - If I point use-application-dns.net to Nameserver where a zone file
> for use-application-dns.net is loaded but the zone-file is broken, a
> SERVFAIL will be returned.
All valid points from a DNS perspective. Fortunately, as shown in other
responses, this can be worked around.
> Is there any documentation how the mozilla guys did it with which
> recursive/authoritative Software?
For the PowerDNS Recursor, using RPZ is an option. The other solution is
creating a Lua script similar to the following:
local uadns = newDN('use-application-dns.net')
function preresolve(dq)
if uadns == dq.qname then
dq.rcode = pdns.NXDOMAIN
return true
end
return false
end
And load it using the lua-dns-script[1] configuration option. This
script does not add a SOA-record though. I have not tested whether or
not the Firefox DNS parser accepts this NXDOMAIN response.
Best,
Pieter
1 - https://doc.powerdns.com/recursor/settings.html#lua-dns-script
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the dns-operations
mailing list