Reverse Policy Zone to make MS Azure stuff work?

Thu Apr 13 23:09:16 UTC 2023

On Friday, 14 April 2023 00:28:24 CEST John Thurston wrote:
> Due to a requirement to use something Microsoft crafted, we are being
> asked to assert (internally) authority over 3rd-level names under
> appserviceenvironment.net
> 
> I've pushed back on this, because I don't think it's nice to publish
> "authoritative" answers in domains we have not been delegated. But I'm
> told it's all ok, because Microsoft says its ok* Having accepted that
> the ship has sailed, it's now a question of how to deliver such answers.
> 
> One obvious way is to define a zone for each 3rd level under
> appserviceenvironment.net, and publish them in a way our resolvers can
> find them. In the absence of catalog-zones, this could be a lot of
> additional work (for me).
> 
> Then I wondered if adding these 'hijacked' names to our RPZ would meet
> the need. I first thought, "Yeah. It'll work.", but then I re-read the
> statement from MS saying each 3rd level was going to need to have a 4th
> level zone defined. A zone definition requires at least an SOA and NS
> record  . . and last time I checked, an RPZ would not deliver an NS
> record. So it seems that idea may be squashed.
> 
> Who else has need to publish locally-defined appserviceenvironment.net
> names? Were you able to do it with your RPZ?
> 
> *
> https://learn.microsoft.com/en-us/azure/app-service/environment/create-ilb-a
> se

Hello John,

For what it's worth, I've been working on Microsoft related domains in an RPZ recently as 
well. The way I've done this is by defining a zone "rpz.local" in my named.conf, as shown 
below.

// Response Policy Zone
zone "rpz.local" {
	type master;
	file "/etc/bind/zones/rpz.local.db";
	allow-update { none; };
	allow-transfer { internal; };
	allow-query { localhost; };
};

Then I define in this rpz.local.db file, entries like the ones below.

$TTL 300

@   IN  SOA localhost. need.to.know.only. (
	202303131	; Serial number
	60	; Refresh every minute
	60	; Retry every minute
	43200	; Expire in 5 days
	60 )	; Negative cache TTL 1 minute
	IN  NS  LOCALHOST.

; Examples
block.example.com		IN	CNAME	.
passthrough.example.com	IN	CNAME	rpz-passthru.
redirect.example.com		IN	CNAME	example.com.

Pay special attention to the lack of a final dot in the records themselves, this is important. 
As far as I understand, this makes them relative to your rpz.local zone, not the actual 
domain on the internet. The only major issue I've been facing with this so far, is that AXFR 
to secondary and tertiary name servers has some issues, and at least Windows 10 Home 
will query those when the primary name server does not give a satisfactory answer.

-- 
Met vriendelijke groet / Best regards,
Michael De Roover
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230414/23ccc2bb/attachment-0001.htm>