Respond with NXDOMAIN instead of block page IP
Matthew Allen
Add option for the DNS response to be NXDOMAIN instead of the block page IP. This would keep the client device from attempting to load anything for the DNS blocked traffic. Helpful for non-user devices, background traffic on client machine, etc. We have several scenarios where it would be preferable to just have the traffic drop, instead of attempt to load from the block page IP.
Ken Carnesi
Hey Matthew - do you mind sharing examples of the scenarios where this would be helpful, and/or how/why you see this to be better/helpful in those scenarios?
Matthew Allen
Ken Carnesi Sure, dropping the traffic at the client with DNS override (NXDOMAIN, or any other DNS response that keeps the client from generating traffic, 0.0.0.0) keeps traffic off the network and skips having to manage any more certificates on the client or manage any block pages.
Guest users aren't going to have the block page cert either and it's preferable to just drop the traffic rather than manage a block page and redirect to something.
Non-user devices that aren't using a browser could try in perpetuity to load something that doesn't exist and just throw traffic on the network for no reason (example would be an IoT device/printer/sensor/etc. that gets infected with malware or otherwise compromised and continuously attempts to load something that may not even be http/s towards the bock page IP).
Basically what we're looking for is the ability to respond to unwanted DNS queries using ISC RPZ features.