[External] Re: Request assistance configuring RPZ
David Bank
dbank at ncdot.gov
Tue May 28 17:13:50 UTC 2019
On Tue, 28 May 2019, Grant Taylor via bind-users wrote:
Hello, Grant! Thanks for replying.
> On 5/28/19 10:16 AM, David Bank wrote:
>> To recap what I'm attempting to create: a host in the 10. network knows
>> to ask buzz or woody for DNS resolution, and if such a host wants to
>> resolve andy.internal.local, it gets (for example) 10.0.2.4 (moreover,
>> the host can't even reach the DNS server on zurg). This part already
>> exists.
>
> Do you want hosts on the 10/8 network (thus not in the bubble) to be
> able to reach any of the hosts in the bubble?
No - the bubble is its own world for the most part. No reason for
general 10/8 inhabitants to try to talk to 192.168/16 - the very, very few
hosts that need to talk in 192.168/16 already have an IP in there.
> Or is this simply wanting to make sure that hosts (outside the bubble)
> in 10/8 resolve to IPs in 10/8 and that hosts (inside the bubble) in
> 192.168/16 resolve to IPs in 192.168/16?
Hosts in 192.168/16 need to resolve 2 SPECIFIC names to 192.168/16 when
those names would otherwise resolve to 10/8 addresses. All other name
resolution whould be to 10/8.
> I'm wondering if it might be possible to use a simple flat DNS zones
> with sorting of replies.
Perhaps I'm missing something, but I don't see how to make zurg reply
with 192.168/16 IPs for andy and sid, but correctly resolve the rest of
*.internal.local - at least not without supplying zurg with a flat file to
reference (which I don't want to do).
>> However, a host in the 192.168. network has been told to use zurg, and
>> if it asks to resolve andy.internal.local, I want it to get 192.168.8.9
>> (even though when zurg forwarded the request to buzz, the response was
>> 10.0.2.4)
>
> Sorting and apex overrides come to mind.
I'm not familiar with those techniques, but I'm interested in learning.
> Can you have a single zone, internal.local that has records for all the
> hosts, with andy.internal.local, sid.internal.local, and
> zurg.internal.local having multiple A records, one in each network. Then
> configure BIND to sort the replies based on the network the client is
> coming from.
No, because I don't have a non-manual way to supply zurg with the Zone
data for *.internal.local. And I'm not too keen on, say, having zurg do a
routine Zone dump from, say. buzz, and scripting something on zurg to
massage the information so the records for andy and sid return 192.168/16.
> This would mean that any host in the 192.168/16 bubble would get a
> 192.168/16 address listed first in the reply. Similarly, any host in
> the main 10/8 network would get a 10/8 address listed first.
Hosts in 10/8 don't talk to zurg (aside from the fact zurg will talk
with buzz and woody) - hosts in 10/8 only talk to buzz and woody, and buzz
and woody always resolve all queries to 10/8 (e.g. they always tell the
"truth").
> Also, is there any reason that zurg can't be a slave for the zones that
> buzz and woody are authoritative for? (Especially if sorting addresses
> the issue.)
No, I don't think so - but I didn't see how that would help, since I
want zurg to alter the replies for just 2 hosts in the Zone. Athough, zurg
is BIND on SLES; buzz and woody are Winblows DNS.
> About the only thing that I can see RPZ being used for here would be to
> override the information that zurg might return if the zone didn't
> already have the data (multiple A records) which could be sorted. I see
> two potential solutions for this:
>
> 1) Apex overrides
> 2) RPZ overrides
>
> #1 is simply a new zone that is the FQDN of what you want to override
> and put an A record with the address you want in the apex.
OK - I have no idea how to do it, but if that would work....
> #2 is configuring RPZ to return different IP(s) (in the 192.168/16
> bubble) for specific query names. (This is what traditional RPZ / DNS
> firewalls do.)
Yes, that's what I was thinking of originally.
> Please ponder this and help me understand why having a single common
> zone across buzz, woody, and zurg using response sorting wouldn't work.
Well, I have no control over buzz and woody. I can only control zurg.
I'm not sure if Winblows can do response sorting, or if zurg would be able
to impose a sort on the data after he does a Zone transfer.
More information about the bind-users
mailing list