Internal CNAME in RPZ
m3047
m3047 at m3047.net
Wed Oct 23 16:49:18 UTC 2019
Hi, so Andrey,
Your output doesn't reflect what I would expect to see from an
RPZ-mediated query, but rather what I would expect to see if querying a
zone, such as the RPZ itself, directly. So I am not sure I understand your
question.
To the broader ISC community: however, I'm confused by the response I'm
getting. Oddly enough dig is giving me the unexpected results, and
(Python) socket.getaddrinfo() does what I expect. It appears that CNAME
resolution within RPZ is escaping...
On Wed, 23 Oct 2019, Andrey Geyn wrote:
> Date: Wed, 23 Oct 2019 19:34:39 +0500
> From: Andrey Geyn <andgein at yandex-team.ru>
> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Internal CNAME in RPZ
>
> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>
> 1.
> cname.domain.com CNAME test.domain.com (without trailing dot)
> test.domain.com A 10.10.10.10
Trailing dot is needed.
> 2.
> cname.domain.com CNAME test.domain.com. (with trailing dot)
> test.domain.com A 10.10.10.10
Yes I believe this to be correct.
> # dig cname.domain.com @127.0.0.1
>
> cname.domain.com. 5 IN CNAME test.domain.com.
> test.domain.com. 531 IN A 66.96.162.92
>
# net-dns.pl add rpz cname.example.com CNAME test.example.com.
# net-dns.pl add rpz test.example.com A 10.10.10.10
Here's the answer I didn't expect, from dig:
# dig +short cname.example.com TEST.EXAMPLE.COM.
# dig +short test.example.com 10.10.10.10
It did not follow the CNAME chain. Here's what I expected, from
getaddrinfo():
>>> from socket import getaddrinfo
>>> getaddrinfo('cname.example.com',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
All the rest of the queries follow. The recursive resolver (at 10.0.0.220)
is running 9.12.3-p1. I tested with versions of dig up to and including
9.12.3-p1
Notice that in the very first test below the AUTHORITY refers to
icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated
with a different domain with the rationale that example.com was
confounding results, and got something similar.
Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net
does the reverse, looking up actual.test.m3047.net from the RPZ instead of
the real world.
--
Fred Morris
--
# dig cname.example.com
; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
;; AUTHORITY SECTION:
EXAMPLE.COM. 3600 IN SOA ns.icann.org.
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE rcvd: 209
# dig test.example.com
; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.example.com. IN A
;; ANSWER SECTION:
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE rcvd: 162
# dig cname.example.com.rpz1.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE rcvd: 224
Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from socket import getaddrinfo
>>> getaddrinfo('cname.example.com',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
# net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
# net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
Note that *.m3047.net is wildcarded.
# dig cname.test.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;cname.test.m3047.net. IN A
;; ANSWER SECTION:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
;; AUTHORITY SECTION:
m3047.net. 7200 IN NS dns1.encirca.net.
m3047.net. 7200 IN NS dns2.encirca.net.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
262 600 60 86400 600
dns1.encirca.net. 97039 IN A 108.166.170.106
dns2.encirca.net. 97039 IN A 64.62.200.132
;; Query time: 178 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:25:08 2019
;; MSG SIZE rcvd: 249
Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from socket import getaddrinfo
>>> getaddrinfo('cname.test.m3047.net',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
# dig cname.test.m3047.net.rpz1.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.test.m3047.net.rpz1.m3047.net. IN A
;; ANSWER SECTION:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
262 600 60 86400 600
;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:41:29 2019
;; MSG SIZE rcvd: 235
More information about the bind-users
mailing list