Re: [knot-resolver-users] policy.DENY during a CNAME chain

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi everyone, on the topic of answer filtering: 1. If you want to play with blocking answers based on domain names please give a try to the attached plugin experimental_filter.lua. This plugin inspects owner names for each RRset in ANSWER section, and if any of the names is present in the configured black list the original answer is replaced with new empty answer with RCODE=REFUSED. The plugin file experimental_filter.lua has usage instructions in its header. 2. As others already pointed out [1] we can expect arms race, where domain owners either copy A/AAAA records into their zones, or delegate a sub-domain to a tracking company. In the end the situation is likely to require IP-address blacklisting. Blocking based on IP addresses in answers can be done using rebinding module, see attached example config file. Please report your experience back to us, we are curious what interesting consequences this module and configuration will have in practice. Enjoy. Petr Špaček @ CZ.NIC [1] https://github.com/uBlockOrigin/uBlock-issues/issues/780#issuecomment-55632… On 25. 11. 19 16:46, Stephane Bortzmeyer wrote: