classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view


Paul Seward
Hi all,

I'm experimenting with RPZ on a reasonably high volume resolver.  I've got the following response-policy block defined:

response-policy {
    zone "local-whitelist.rpz" policy PASSTHRU;
    zone "local-blacklist.rpz" policy CNAME rpz-target.bris.ac.uk.;

This is working fine.  Domains listed in the local-whitelist.rpz zone continue to resolve, and domains listed in the local-blacklist.rpz zone are CNAMEd to rpz-target.bris.ac.uk as expected.

I'd like to be able to log hits to the blacklist (so that we can analyse the logs to identify clients that might need remedial action) so I enabled the following logging config:

channel rpz_log {
  file "/var/log/named/rpz.log" versions 10 size 20m;
  severity info;
  print-time yes;
  print-category yes;
  print-severity yes;
category rpz { rpz_log; };

However, that's a little over-chatty for my liking as it's logging every hit to the whitelist, and on a busy resolver with lots of clients resolving our local domain - the log volume is just too excessive!

As far as I can tell PASSTHRU is logged at the same severity level as other policy types, but my bind logging fu is weak as I don't have to change the logging config very often!

If I want to cut down the log volume to just the events I'm interested in, is it possible to get bind to *not* log PASSTHRU hits?

Or is the only option for me to log RPZ hits via syslog and then get rsyslog to drop the messages I'm not interested in?


Paul Seward,    Senior Systems Administrator,    University of Bristol
[hidden email]  +44 (0)117 39 41148    GPG Key ID: E24DA8A2
GPG Fingerprint:    7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]