Internal CNAME in RPZ

Bob Harold rharolde at umich.edu
Thu Oct 24 13:06:45 UTC 2019 

On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andgein at yandex-team.ru> wrote:

> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>
> 1.
> cname.domain.com        CNAME   test.domain.com    (without trailing dot)
> test.domain.com         A       10.10.10.10
>

There is a misunderstanding here.  You would never redirect a domain in RPZ
to another domain in RPZ.
Domains in RPZ must always be redirected to a real domain.  You cannot
point it to the wrong place, and then expect it to be redirected again.  It
does not work that way.
Those two RPZ entries are completely separate.
Do you want cname.domain.com to point to 10.10.10.10?  Then use an A record
to 10.10.10.10.
Do you want cname.domain.com to point to some real domain name (probably a
name you control, like a walled garden, or error page)?  Then CNAME to that
real name.

-- 
Bob Harold



>
> In this case I receive
>
> # dig cname.domain.com @127.0.0.1
> ...
> cname.domain.com.       5       IN      CNAME   test.domain.com.rpz.
> test.domain.com.rpz.    3600    IN      A       10.10.10.10
> ...
>
> So, it looks good, but RPZ name is visible, which is unwanted for me.
>
> 2.
> cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
> test.domain.com         A       10.10.10.10
>
> In this case I receive
>
>
> # dig cname.domain.com @127.0.0.1
> cname.domain.com.       5       IN      CNAME   test.domain.com.
> test.domain.com.        531     IN      A       66.96.162.92
>
> (66.98.162.92 is real, «internet» address of test.domain.com)
>
>
> Is it possible to make configuration for internal CNAME's in RPZ in which
> RPZ name will be not visible to user?
>
> Best regards,
> Andrey Geyn
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191024/8f93953e/attachment.htm>

More information about the bind-users mailing list