Internal CNAME in RPZ
Andrey Geyn
andgein at yandex-team.ru
Thu Oct 24 15:03:54 UTC 2019
Thank you, Bob.
Unfortunately, records are generated by my users, not by me, so I can't change them as I want.
Thanks again for your time and detailed explanation.
Andrey.
24.10.2019, 19:53, "Bob Harold" <rharolde at umich.edu>:
> On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn <andgein at yandex-team.ru> wrote:
>> Hi, Bob, thank you for response!
>>
>> What if I want to make following configuration (as an example):
>>
>> domain.com A 10.10.10.10
>> *.domain.com CNAME domain.com
>>
>> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's here.
>
> Sorry, that is not how RPZ was designed to work.
> You can make the second one:
> *.domain.com CNAME my10.realdomain.com.
> Where there is a real domain (not the RPZ domain) with:
> my10.realdomain.com. A 10.10.10.10
>
> Or make them both "A" records. Or both CNAME. But one RPZ entry cannot point to another.
> Use scripts to automate the process, if you don't want to enter 10.10.10.10 twice.
>
> p.s. The decision not to re-lookup the results of RPZ lookups is probably for speed and to avoid loops. Trying to patch around that is not a good idea.
>
> --
> Bob Harold
>
>>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record to 10.10.10.10.
>> This sentence sounds like «CNAME are useless at all» :-). Do you want some domain to point to some address? The use an A record, not CNAME!
>>
>> Additionally, I already use patched version of BIND. Maybe it is possible to make some patch for allowing this behaivor?
>>
>> Andrey
>>
>> 24.10.2019, 18:06, "Bob Harold" <rharolde at umich.edu>:
>>> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andgein at yandex-team.ru> wrote:
>>>> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>>>>
>>>> 1.
>>>> cname.domain.com CNAME test.domain.com (without trailing dot)
>>>> test.domain.com A 10.10.10.10
>>>
>>> There is a misunderstanding here. You would never redirect a domain in RPZ to another domain in RPZ.
>>> Domains in RPZ must always be redirected to a real domain. You cannot point it to the wrong place, and then expect it to be redirected again. It does not work that way.
>>> Those two RPZ entries are completely separate.
>>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record to 10.10.10.10.
>>> Do you want cname.domain.com to point to some real domain name (probably a name you control, like a walled garden, or error page)? Then CNAME to that real name.
>>>
>>> --
>>> Bob Harold
>>>
>>>> In this case I receive
>>>>
>>>> # dig cname.domain.com @127.0.0.1
>>>> ...
>>>> cname.domain.com. 5 IN CNAME test.domain.com.rpz.
>>>> test.domain.com.rpz. 3600 IN A 10.10.10.10
>>>> ...
>>>>
>>>> So, it looks good, but RPZ name is visible, which is unwanted for me.
>>>>
>>>> 2.
>>>> cname.domain.com CNAME test.domain.com. (with trailing dot)
>>>> test.domain.com A 10.10.10.10
>>>>
>>>> In this case I receive
>>>>
>>>> # dig cname.domain.com @127.0.0.1
>>>> cname.domain.com. 5 IN CNAME test.domain.com.
>>>> test.domain.com. 531 IN A 66.96.162.92
>>>>
>>>> (66.98.162.92 is real, «internet» address of test.domain.com)
>>>>
>>>> Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user?
>>>>
>>>> Best regards,
>>>> Andrey Geyn
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list