[External] Re: Request assistance configuring RPZ

[Grant Taylor]

On 5/29/19 3:15 PM, Jon wrote:
> Hi Grant,

Hi,

> I don't usually wade in on these but I also believe RPZ would be the 
> simplest way to achieve this.

I tend to agree.

DNSSEC can complicate this a bit (requiring additional settings).

> In order to keep the same zone working with 10. Addressing for all other 
> (not in bubble) clients, create CNAME records in your master 
> internal.local zone for these two records you want to have a 192. 
> Address for.  On the same master, create a new zone where you will have 
> the A record your CNAME will resolve to, a 10. Address.  This will take 
> care of all clients not in the bubble.

I don't think that David has any influence on the "internal.local" zone 
on buzz and woody.  As such, CNAMEing to alternate zones is not likely 
to happen.

> On zurg, with your RPZ, have that configured for the same domain as the 
> new domain you've created on the master.

Why use CNAMEs to a separate zone on woody & buzz but not use the same 
separate zones on zurg?

I'd think that you'd use separate zones everywhere (woody, buzz, and 
zurg) or nowhere.

Yes, RPZ can make it trivial to override the names in the bubble.

> This should mean that, all queries are forwarded to your other boxes, 
> except anything for that domain in the RPZ. The initial query for Andy 
> or sid will be forwarded to the forwarding servers but will return a 
> CNAME for the zurg recursor. Zurg should then go to resolve the cname 
> but check its RPZ first, responding with the 192.x addressing you've got 
> in the RPZ for each of the two hosts.

I'm not tracking what you're saying.  (If we want to delve further into 
this, seeing as how David can't change the zone on woody or buzz.) 
Please outline what zones you would have on what server as well as where 
the CNAMEs would be and what they would refer to.

> It's not tidy, I'll give you that but, this is an interesting scenario 
> for more than just this DNS, you're bridging 2 networks with multiple 
> multi-homed machines. This is not recommended from a security 
> perspective and should use a gateway/FW to perform this work, routing 
> between the networks.

I largely agree.  However there is no reason that there can't also be 
DNS separation in addition to routing / firewall.  Thus this scenario 
can exist even with routing and firewalls.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190529/99b61aca/attachment.bin>