RPZ and forward zone trouble

Miguel Mucio Santos Moreira miguel at prodemge.gov.br
Mon Mar 25 20:34:00 UTC 2019 

Hello everybody!

I have a problem with DNS-RPZ and forward zone working together.
I've created a rpz zone with the following trigger on my recursive DNS Server:
18.0.0.198.200.rpz-nsip IN CNAME rpz-passthru.

It means any query response comming from a DNS Server which IP address matching with the any IP address at entire CIDR block 200.198.0.0/18 will be answered with rpz-passthru  
It works perfectly for any domain hosted in my Authoritative DNS Servers.
But when I apply on my recursive RPZ DNS Server a forward zone for those domains hosted on my Authoritative DNS Servers the problems appear and it is very weird.

I have a mg.gov.br domain and its NS Servers are zeus.prodemge.gov.br (200.198.5.13), titanio.prodemge.gov.br (200.198.5.5), tupan.prodemge.gov.br (200.198.4.4) and jupiter.prodemge.gov.br (200.198.5.2).
If I perform a dig at my workstation using Recursive DNS with RPZ looking for any record in mg.gov.br domain, rpz-passthru policy is not applied, however if I perform a dig looking for any record in prodemge.gov.br domain and after that I perform the same dig before it works properly.


Note: Recursive DNS Servers and Authoritative DNS Servers are not the same.

As workaround solution I applied 4 rpz-nsdname triggers above that one mentioned in the begining this email with my authoritative name servers with rpz-passthru policy.
titanio.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
jupiter.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
tupan.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
zeus.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.

I would like to understand why it didn't work without workaround solution, anyone has any idea about it?

Thanks in advance
--

Miguel Moreira
Gerente
DPR/SRE/GSR - Gerência de Serviços de Rede
+55(31)3339-1401
PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais


Aviso: Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação sigilosa e legalmente protegida. O uso impróprio será tratado conforme as normas da empresa e a legislação em vigor. Caso não seja o destinatário, favor notificar o remetente, ficando proibidas a utilização, divulgação, cópia e distribuição.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190325/73d78820/attachment.html>

More information about the bind-users mailing list