Internal CNAME in RPZ

m3047 m3047 at m3047.net
Wed Oct 23 16:49:18 UTC 2019 

Hi, so Andrey,

Your output doesn't reflect what I would expect to see from an 
RPZ-mediated query, but rather what I would expect to see if querying a 
zone, such as the RPZ itself, directly. So I am not sure I understand your 
question.

To the broader ISC community: however, I'm confused by the response I'm 
getting. Oddly enough dig is giving me the unexpected results, and 
(Python) socket.getaddrinfo() does what I expect. It appears that CNAME 
resolution within RPZ is escaping...

On Wed, 23 Oct 2019, Andrey Geyn wrote:

> Date: Wed, 23 Oct 2019 19:34:39 +0500
> From: Andrey Geyn <andgein at yandex-team.ru>
> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Internal CNAME in RPZ
> 
> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>  
> 1.
> cname.domain.com        CNAME   test.domain.com    (without trailing dot)
> test.domain.com         A       10.10.10.10

Trailing dot is needed.

> 2.
> cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
> test.domain.com         A       10.10.10.10

Yes I believe this to be correct.

> # dig cname.domain.com @127.0.0.1
> 
> cname.domain.com.       5       IN      CNAME   test.domain.com.
> test.domain.com.        531     IN      A       66.96.162.92
>  

# net-dns.pl add rpz cname.example.com CNAME test.example.com.
# net-dns.pl add rpz test.example.com A 10.10.10.10

Here's the answer I didn't expect, from dig:

# dig +short cname.example.com TEST.EXAMPLE.COM.
# dig +short test.example.com 10.10.10.10

It did not follow the CNAME chain. Here's what I expected, from 
getaddrinfo():

>>> from socket import getaddrinfo
>>> getaddrinfo('cname.example.com',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]

All the rest of the queries follow. The recursive resolver (at 10.0.0.220) 
is running 9.12.3-p1. I tested with versions of dig up to and including 
9.12.3-p1

Notice that in the very first test below the AUTHORITY refers to 
icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated 
with a different domain with the rationale that example.com was 
confounding results, and got something similar.

Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net 
does the reverse, looking up actual.test.m3047.net from the RPZ instead of 
the real world.

--

Fred Morris

--

# dig cname.example.com

; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com.		IN	A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM.	5	IN	CNAME	TEST.EXAMPLE.COM.

;; AUTHORITY SECTION:
EXAMPLE.COM.		3600	IN	SOA	ns.icann.org. 
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600

;; ADDITIONAL SECTION:
rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600

;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE  rcvd: 209

#  dig test.example.com

; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.example.com.		IN	A

;; ANSWER SECTION:
TEST.EXAMPLE.COM.	5	IN	A	10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.		900	IN	NS	LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600

;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE  rcvd: 162

# dig cname.example.com.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN	A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME	TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM.	5	IN	A	10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.		900	IN	NS	LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600

;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE  rcvd: 224

Python 3.7.4 (v3.7.4:e09359112e, Jul  8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from socket import getaddrinfo
>>> getaddrinfo('cname.example.com',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]

# net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
# net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10

Note that *.m3047.net is wildcarded.

# dig cname.test.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;cname.test.m3047.net.		IN	A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET.	5	IN	CNAME	ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.	7200	IN	A	209.221.140.128

;; AUTHORITY SECTION:
m3047.net.		7200	IN	NS	dns1.encirca.net.
m3047.net.		7200	IN	NS	dns2.encirca.net.

;; ADDITIONAL SECTION:
rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
262 600 60 86400 600
dns1.encirca.net.	97039	IN	A	108.166.170.106
dns2.encirca.net.	97039	IN	A	64.62.200.132

;; Query time: 178 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:25:08 2019
;; MSG SIZE  rcvd: 249

Python 3.7.4 (v3.7.4:e09359112e, Jul  8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from socket import getaddrinfo
>>> getaddrinfo('cname.test.m3047.net',80)
[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]

# dig cname.test.m3047.net.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.test.m3047.net.rpz1.m3047.net. IN	A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.	5	IN	A	10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.		900	IN	NS	LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
262 600 60 86400 600

;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:41:29 2019
;; MSG SIZE  rcvd: 235

More information about the bind-users mailing list