RPZ on forwarder not working when forwarder is slave
Brock Sides
philarete at gmail.com
Mon Sep 19 16:27:53 UTC 2016
I'm attempting to set up a response policy zone on a pair of forwarders
running BIND, version 9.8.1 on the master for the zone, and version 9.9.5
on the slave.
The forwarding requests are coming from a pair of Microsoft DNS servers,
running Server 2012.
If the Microsoft DNS server is configured to forward to the master, the
clients get the correct responses, e.g. "evil.example.com" resolves to
127.0.0.1, just as I have it set up in the zone file for the RPZ. However,
if the Microsoft DNS server is configured to use the slave server as a
forwarder, the client gets an NXDOMAIN response.
Clients that query the BIND servers (master or slave) directly get the
correct 127.0.0.1 response.
I've confirmed that changing the slave into a master for the RPZ fixes the
problem.
It seems like the Microsoft DNS servers for some reason don't regard the
BIND server configured as a slave as authoritative, but I'm not sure why
that might be.
Any thoughts?
--
Brock Sides
philarete at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160919/02a21796/attachment-0001.html>
More information about the bind-users
mailing list