Need help on RPZ sever, bit urgent

Sat Aug 11 02:46:35 UTC 2018

Infact what I observed that the intermediate DNS servers are not forwarding
he queries for .com and .net servers to my RPZ servers and it tries
resolves directly on his own from TLD servers

192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be
forwarded to 192.168.3.44

*Which is not happening.*

dig 003bbhq9.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.                  IN      A

*;; AUTHORITY SECTION:*
*com.                    530     IN      SOA     a.gtld-servers.net
<http://a.gtld-servers.net>. nstld.verisign-grs.com
<http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400*

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114

On Sat, Aug 11, 2018 at 7:57 AM Blason R <blason16 at gmail.com> wrote:

> Ok - Now I added like this and it disappeared.
>
>         response-policy { zone "whitelist.allow" policy passthru;
>                         zone "malware.trap";
>                         zone "ransomwareips.block"; } qname-wait-recurse
> no break-dnssec no;
>
>
> On Sat, Aug 11, 2018 at 7:51 AM Blason R <blason16 at gmail.com> wrote:
>
>> This is not accepting and giving my syntax error.
>>
>> named-checkconf /etc/bind/named.conf
>> /etc/bind/named.conf.options:29: syntax error near '}'
>>
>>
>> And here is I added
>>
>>         response-policy { zone "whitelist.allow" policy passthru;
>>                         zone "malware.trap";
>>                         zone "ransomwareips.block"; } qname-wait-recurse
>> no break-dnssec no; };
>>
>>
>>
>> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <carl at byington.org> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
>>> > Nah I dont think that is the answer since you need a termination after
>>> > clause.
>>>
>>> Did you actually try the answer below?
>>>
>>>
>>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <pvm_job at mail.ru> wrote:
>>>
>>> > Should be:
>>>
>>>
>>> >         response-policy {zone "whitelist.allow" policy passthru;
>>> >                                 zone "malware.trap";
>>> >                                 zone "ransomwareips.block";
>>> >         } qname-wait-recurse no break-dnssec no;
>>>
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2.0.14 (GNU/Linux)
>>>
>>> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
>>> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
>>> =VwoG
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180811/c2ae73cc/attachment.html>