RPZ seems to be hit and miss
Howard, Christopher Bryan
Christopher-Howard at utc.edu
Fri Jan 10 18:32:27 UTC 2014
For reference:
BIND 9.9.4-P1
CentOS 6.4
64bit arch
We use RPZ to CNAME all of the “bad” domains over to a catch-all type server that can display a message to the user. Until recently it has been working perfectly (or we thought it was :-P ).
The problem:
RPZ appears to have stopped working properly about a month ago and we didn’t notice it until a domain we specifically added kept resolving. After doing some spot checking, a large portion of the domains in the RPZ zone work as expected. However, some of them are still getting recursively resolved. I’m at a complete loss as to why this is happening.
We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an attempt to fix it, with no luck. I’ve flushed the cache on all of our servers, I’ve restarted the service on all of our servers. I’ve not restarted the actual servers, but I don’t think that would get us anywhere.
Here are some examples (note that NXDOMAIN responses are due to IDS blocking the resolution):
$ host ads5.woamobile.com
ads5.woamobile.com is an alias for catchall.utc.edu.
catchall.utc.edu has address 192.168.56.23
$ host WhateverIWantToPutHere.ads5.woamobile.com
WhateverIWantToPutHere.ads5.woamobile.com is an alias for catchall.utc.edu.
catchall.utc.edu has address 192.168.56.23
$ host adsafeprotected.com
Host adsafeprotected.com not found: 3(NXDOMAIN)
$ host WhateverIWantToPutHere.adsafeprotected.com
WhateverIWantToPutHere.adsafeprotected.com is an alias for catchall.utc.edu.
catchall.utc.edu has address 192.168.56.23
$ host conduit-services.com
conduit-services.com is an alias for catchall.utc.edu.
catchall.utc.edu has address 192.168.56.23
$ host asdfasdf.conduit-services.com
asdfasdf.conduit-services.com is an alias for catchall.utc.edu.
catchall.utc.edu has address 192.168.56.23
$ host sp-translation.conduit-services.com
Host sp-translation.conduit-services.com not found: 3(NXDOMAIN)
And here is what’s in the zone file:
ads5.woamobile.com IN CNAME catchall.utc.edu.
*.ads5.woamobile.com IN CNAME catchall.utc.edu.
adsafeprotected.com IN CNAME catchall.utc.edu.
*.adsafeprotected.com IN CNAME catchall.utc.edu.
conduit-services.com IN CNAME catchall.utc.edu.
*.conduit-services.com IN CNAME catchall.utc.edu.
I can provide other information as needed.
Does anyone have any experience with RPZ and have a clue why it seems to be selectively resolving records?
-Christopher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140110/82e3ee60/attachment.html>
More information about the bind-users
mailing list