[dns-operations] Filtering policy: false positive rate

Paul Vixie paul at redbarn.org
Thu Feb 8 23:58:15 UTC 2024

I think the examples being used in this thread are too narrow. In RPZ a 
firewall rule might trigger on something other than the QNAME. For 
example the trigger could be one of the NSDNAMEs in the resolution path, 
or on the address (A or AAAA) associated with some NSDNAME in the 
resolution path, or on the address (A or AAAA) of an answer. The meaning 
of "false" in the term "false positive" quickly goes out of scope. What 
we have are rules that trigger on nothing, others that trigger on the 
wrong thing, some that trigger on the right thing, and some that trigger 
on too much.

Also I wish everybody would stop saying "blocking". This isn't always 
that. We filter DNS content because it's the gateway to much harm, and 
as we learn about harms, we either monitor, or drop, or redirect, or 
"block" (if the trigger happens to be on the QNAME in which case we can 
replace the real answer with an NXDOMAIN) the DNS paths to those harms. 
NXDOMAIN insertion is usually unwise for non-QNAME triggers.

P Vixie

More information about the dns-operations mailing list