Re: Does an RPZ "A" record prevent a lookup?

Ah, thank you, Bob. That was exactly the pointer that I needed. For future people searching, the specific situation Bob refers to is discussed in the last paragraph of this section here: https://bind9.readthedocs.io/en/v9.20.4/reference.html#namedconf-statement-response-policy, which begins with "N

Re: Does an RPZ "A" record prevent a lookup?

Yes, RPZ looks up first, and only replaces it if the lookup returns a value. There is an option to skip that, but then an attacker can more easily detect that you are using RPZ to block them. Search for descriptions online. -- Bob Harold DNS and DHCP Hostmaster - UMNet Information and Technology

Does an RPZ "A" record prevent a lookup?

I have an intermittent RPZ problem that I am troubleshooting. I do a lookup for "dnshealthcheck.privatelink.azurewebsites.net" which has a corresponding RPZ entry that looks like: dnshealthcheck.privatelink.azurewebsites.net A 10.254.254.254 A little after midnight, we started getting