Internal CNAME in RPZ

Андрей Гейн andgein at yandex-team.ru
Thu Oct 24 08:08:49 UTC 2019 

I enabled debug and query logs for BIND and no, it's not look like caching problems...

Do you have any idea how to force BIND look for CNAMEd name in RPZ?

I tried to analyze source codes, and it seems that this line prohibits to apply policy on the second iteration: https://gitlab.isc.org/isc-projects/bind9/blob/master/lib%2Fns%2Fquery.c#L3918
Because in this moment st->state & DNS_RPZ_REWRITTEN == 1, query _has been already rewritten_ by RPZ. 

Unfortunately commenting out this line leads to assertion failed later, in query_addrdataset() :)

Andrey

24.10.2019, 02:00, "m3047" <m3047 at m3047.net>:
> Hello...
>
> On Wed, 23 Oct 2019, Andrey Geyn wrote:
>>  [...]
>>  I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ
>>  (first one returns only
>>  CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>
> I didn't understand this as well. Is it something about caching perhaps? I
> thought perhaps example.com, being well-known, was somehow confounding the
> results.
>
>>  second one returns two RRs:
>>  CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
>>  ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128)
>
> Notwithstanding that this is WRONG, because actual.test.m3047.net is in
> the RPZ, it did try to follow the CNAME chain it just failed to apply the
> policy to the A record. However querying the RPZ explicitly:
>
> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>
> would /appear/ to be retrieving the result for the CNAME from the RPZ as a
> regular zone not a policy zone, as intended, but then subjects the A
> record to the RPZ policy!
>
>>  23.10.2019, 21:49, "m3047" <m3047 at m3047.net>:
>>>  [...]
>>>  # dig cname.example.com
>>>
>>>  ; <<>> DiG 9.8.3-P1 <<>> cname.example.com
>>>  ;; global options: +cmd
>>>  ;; Got answer:
>>>  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
>>>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>>  ;; QUESTION SECTION:
>>>  ;cname.example.com. IN A
>>>
>>>  ;; ANSWER SECTION:
>>>  CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>>>
>>>  ;; AUTHORITY SECTION:
>>>  EXAMPLE.COM. 3600 IN SOA ns.icann.org.
>>>  noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
>>>
>>>  ;; ADDITIONAL SECTION:
>>>  rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>>  260 600 60 86400 600
>>>
>>>  ;; Query time: 1142 msec
>>>  ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>>  ;; WHEN: Wed Oct 23 09:03:34 2019
>>>  ;; MSG SIZE rcvd: 209
>>>
>>>  # dig test.example.com
>>>
>>>  ; <<>> DiG 9.8.3-P1 <<>> test.example.com
>>>  ;; global options: +cmd
>>>  ;; Got answer:
>>>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
>>>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>>  ;; QUESTION SECTION:
>>>  ;test.example.com. IN A
>>>
>>>  ;; ANSWER SECTION:
>>>  TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>>
>>>  ;; AUTHORITY SECTION:
>>>  rpz1.m3047.net. 900 IN NS LOCALHOST.
>>>
>>>  ;; ADDITIONAL SECTION:
>>>  rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>>  260 600 60 86400 600
>>>
>>>  ;; Query time: 10 msec
>>>  ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>>  ;; WHEN: Wed Oct 23 09:04:38 2019
>>>  ;; MSG SIZE rcvd: 162
>>>
>>>  # dig cname.example.com.rpz1.m3047.net
>>>
>>>  ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
>>>  ;; global options: +cmd
>>>  ;; Got answer:
>>>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
>>>  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>>  ;; QUESTION SECTION:
>>>  ;cname.example.com.rpz1.m3047.net. IN A
>>>
>>>  ;; ANSWER SECTION:
>>>  CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
>>>  TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>>
>>>  ;; AUTHORITY SECTION:
>>>  rpz1.m3047.net. 900 IN NS LOCALHOST.
>>>
>>>  ;; ADDITIONAL SECTION:
>>>  rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>>  260 600 60 86400 600
>>>
>>>  ;; Query time: 8 msec
>>>  ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>>  ;; WHEN: Wed Oct 23 09:07:46 2019
>>>  ;; MSG SIZE rcvd: 224
>>>
>>>  Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
>>>  [Clang 6.0 (clang-600.0.57)] on darwin
>>>  Type "help", "copyright", "credits" or "license" for more information.
>>>>>>   from socket import getaddrinfo
>>>>>>   getaddrinfo('cname.example.com',80)
>>>
>>>  [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
>>>  ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
>>>  <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>>>
>>>  # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
>>>  # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
>>>
>>>  Note that *.m3047.net is wildcarded.
>>>
>>>  # dig cname.test.m3047.net
>>>
>>>  ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
>>>  ;; global options: +cmd
>>>  ;; Got answer:
>>>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
>>>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>>>
>>>  ;; QUESTION SECTION:
>>>  ;cname.test.m3047.net. IN A
>>>
>>>  ;; ANSWER SECTION:
>>>  CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
>>>  ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
>>>
>>>  ;; AUTHORITY SECTION:
>>>  m3047.net. 7200 IN NS dns1.encirca.net.
>>>  m3047.net. 7200 IN NS dns2.encirca.net.
>>>
>>>  ;; ADDITIONAL SECTION:
>>>  rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>>  262 600 60 86400 600
>>>  dns1.encirca.net. 97039 IN A 108.166.170.106
>>>  dns2.encirca.net. 97039 IN A 64.62.200.132
>>>
>>>  ;; Query time: 178 msec
>>>  ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>>  ;; WHEN: Wed Oct 23 09:25:08 2019
>>>  ;; MSG SIZE rcvd: 249
>>>
>>>  Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
>>>  [Clang 6.0 (clang-600.0.57)] on darwin
>>>  Type "help", "copyright", "credits" or "license" for more information.
>>>>>>   from socket import getaddrinfo
>>>>>>   getaddrinfo('cname.test.m3047.net',80)
>>>
>>>  [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
>>>  ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
>>>  <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>>>
>>>  # dig cname.test.m3047.net.rpz1.m3047.net
>>>
>>>  ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
>>>  ;; global options: +cmd
>>>  ;; Got answer:
>>>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
>>>  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>>  ;; QUESTION SECTION:
>>>  ;cname.test.m3047.net.rpz1.m3047.net. IN A
>>>
>>>  ;; ANSWER SECTION:
>>>  CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
>>>  ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>>>
>>>  ;; AUTHORITY SECTION:
>>>  rpz1.m3047.net. 900 IN NS LOCALHOST.
>>>
>>>  ;; ADDITIONAL SECTION:
>>>  rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>>  262 600 60 86400 600
>>>
>>>  ;; Query time: 8 msec
>>>  ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>>  ;; WHEN: Wed Oct 23 09:41:29 2019
>>>  ;; MSG SIZE rcvd: 235
>>  _______________________________________________
>>  Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>>  bind-users mailing list
>>  bind-users at lists.isc.org
>>  https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list