Internal CNAME in RPZ
m3047
m3047 at m3047.net
Wed Oct 23 21:00:40 UTC 2019
Hello...
On Wed, 23 Oct 2019, Andrey Geyn wrote:
> [...]
> I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ
> (first one returns only
> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
I didn't understand this as well. Is it something about caching perhaps? I
thought perhaps example.com, being well-known, was somehow confounding the
results.
> second one returns two RRs:
> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128)
Notwithstanding that this is WRONG, because actual.test.m3047.net is in
the RPZ, it did try to follow the CNAME chain it just failed to apply the
policy to the A record. However querying the RPZ explicitly:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
would /appear/ to be retrieving the result for the CNAME from the RPZ as a
regular zone not a policy zone, as intended, but then subjects the A
record to the RPZ policy!
> 23.10.2019, 21:49, "m3047" <m3047 at m3047.net>:
>> [...]
>> # dig cname.example.com
>>
>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;cname.example.com. IN A
>>
>> ;; ANSWER SECTION:
>> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>>
>> ;; AUTHORITY SECTION:
>> EXAMPLE.COM. 3600 IN SOA ns.icann.org.
>> noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
>>
>> ;; ADDITIONAL SECTION:
>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>> 260 600 60 86400 600
>>
>> ;; Query time: 1142 msec
>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>> ;; WHEN: Wed Oct 23 09:03:34 2019
>> ;; MSG SIZE rcvd: 209
>>
>> # dig test.example.com
>>
>> ; <<>> DiG 9.8.3-P1 <<>> test.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;test.example.com. IN A
>>
>> ;; ANSWER SECTION:
>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>
>> ;; AUTHORITY SECTION:
>> rpz1.m3047.net. 900 IN NS LOCALHOST.
>>
>> ;; ADDITIONAL SECTION:
>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>> 260 600 60 86400 600
>>
>> ;; Query time: 10 msec
>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>> ;; WHEN: Wed Oct 23 09:04:38 2019
>> ;; MSG SIZE rcvd: 162
>>
>> # dig cname.example.com.rpz1.m3047.net
>>
>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;cname.example.com.rpz1.m3047.net. IN A
>>
>> ;; ANSWER SECTION:
>> CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>
>> ;; AUTHORITY SECTION:
>> rpz1.m3047.net. 900 IN NS LOCALHOST.
>>
>> ;; ADDITIONAL SECTION:
>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>> 260 600 60 86400 600
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>> ;; WHEN: Wed Oct 23 09:07:46 2019
>> ;; MSG SIZE rcvd: 224
>>
>> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
>> [Clang 6.0 (clang-600.0.57)] on darwin
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> from socket import getaddrinfo
>>>>> getaddrinfo('cname.example.com',80)
>>
>> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
>> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
>> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>>
>> # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
>> # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
>>
>> Note that *.m3047.net is wildcarded.
>>
>> # dig cname.test.m3047.net
>>
>> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; QUESTION SECTION:
>> ;cname.test.m3047.net. IN A
>>
>> ;; ANSWER SECTION:
>> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
>> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
>>
>> ;; AUTHORITY SECTION:
>> m3047.net. 7200 IN NS dns1.encirca.net.
>> m3047.net. 7200 IN NS dns2.encirca.net.
>>
>> ;; ADDITIONAL SECTION:
>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>> 262 600 60 86400 600
>> dns1.encirca.net. 97039 IN A 108.166.170.106
>> dns2.encirca.net. 97039 IN A 64.62.200.132
>>
>> ;; Query time: 178 msec
>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>> ;; WHEN: Wed Oct 23 09:25:08 2019
>> ;; MSG SIZE rcvd: 249
>>
>> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
>> [Clang 6.0 (clang-600.0.57)] on darwin
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> from socket import getaddrinfo
>>>>> getaddrinfo('cname.test.m3047.net',80)
>>
>> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
>> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
>> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>>
>> # dig cname.test.m3047.net.rpz1.m3047.net
>>
>> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;cname.test.m3047.net.rpz1.m3047.net. IN A
>>
>> ;; ANSWER SECTION:
>> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
>> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>>
>> ;; AUTHORITY SECTION:
>> rpz1.m3047.net. 900 IN NS LOCALHOST.
>>
>> ;; ADDITIONAL SECTION:
>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>> 262 600 60 86400 600
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>> ;; WHEN: Wed Oct 23 09:41:29 2019
>> ;; MSG SIZE rcvd: 235
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list