replace "SERVFAIL" to "NXDOMAIN" with rpz

sami.rahal at sofrecom.com sami.rahal at sofrecom.com
Mon Jun 19 11:40:11 UTC 2023 

Thank you Greg
So if I understand correctly if we receive a servfail return code we can not modify this code by nxdomain with the rpz configuration?
Regards

De : Greg Choules <gregchoules+bindusers at googlemail.com>
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM <sami.rahal at sofrecom.com>
Cc : bind-users at lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

That's because this domain is broken. The NS for it are:
antlauncher.com<http://antlauncher.com>: type NS, class IN, ns ns1626.ztomy.com<http://ns1626.ztomy.com> (204.11.56.26)
antlauncher.com<http://antlauncher.com>: type NS, class IN, ns ns2626.ztomy.com<http://ns2626.ztomy.com> (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and claim not to be authoritative for "antlauncher.com<http://antlauncher.com>".

Personally I would live with the SERVFAIL because it tells you that something is wrong, not just that it doesn't exist. Then try to contact the people who own this domain and tell them it is broken.

Cheers, Greg

On Mon, 19 Jun 2023 at 10:33, <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>> wrote:
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my resolvers and there are no errors of type "SERVFAIL" currently for valid domain names but I receive servfail for this domain name "antlauncher.com<http://antlauncher.com>" that's why I wanted to change the return code for this domain name to "NXDOMAIN" so as not to distort the monitoring result .
Regards
De : Greg Choules <gregchoules+bindusers at googlemail.com<mailto:gregchoules%2Bbindusers at googlemail.com>>
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>>
Cc : bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get a response to your query but I just failed".

So if your monitoring tool, whatever it is, is receiving SERVFAIL responses from your DNS server then you need to fix whatever is causing those in the server.
Causes of SERVFAIL could be that your server cannot contact the authoritative server(s) that should know the answer. Or it might be because your server is trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet capture that includes the client queries to the server and any queries the server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.

Hope that helps, Greg


On Mon, 19 Jun 2023 at 09:39, <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>> wrote:
Hello Thank you for your feedback,
yes it works like that!  for that does not work for a domain name that already has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN" like this domain name "antlauncher.com<http://antlauncher.com>"
regards Rahal

-----Message d'origine-----
De : bind-users <bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>> De la part de bind-users-request at lists.isc.org<mailto:bind-users-request at lists.isc.org>
Envoyé : samedi 17 juin 2023 06:23
À : bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Objet : bind-users Digest, Vol 4262, Issue 1

Send bind-users mailing list submissions to
        bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
        bind-users-request at lists.isc.org<mailto:bind-users-request at lists.isc.org>

You can reach the person managing the list at
        bind-users-owner at lists.isc.org<mailto:bind-users-owner at lists.isc.org>

When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..."


Today's Topics:

   1. replace "SERVFAIL"  to "NXDOMAIN"  with rpz
      (sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>)
   2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
   3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
   4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +0000
From: sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>
To: "bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>" <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Subject: replace "SERVFAIL"  to "NXDOMAIN"  with rpz
Message-ID: <9c4465dc103645149093f4d3f60cf89a at sofrecom.com<mailto:9c4465dc103645149093f4d3f60cf89a at sofrecom.com>>
Content-Type: text/plain; charset="us-ascii"


Hello
For monitoring reasons I try to change the return code of a domain name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message  " SERVFAIL", is it feasible or not please ?
Kind regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm>

------------------------------

Message: 2
Date: Fri, 16 Jun 2023 20:29:16 -0700
From: Crist Clark <cjc+bind-users at pumpky.net<mailto:cjc%2Bbind-users at pumpky.net>>
To: sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>
Cc: "bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>" <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID:
        <CAAcrURK2=+uqQ+_AvVbiAV2jpagOhd=ozRfQ_SCazBn-rUZXig at mail.gmail.com<mailto:ozRfQ_SCazBn-rUZXig at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. Something is wrong with your configuration.

On Fri, Jun 16, 2023 at 1:39?PM <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>> wrote:

>
>
> Hello
>
> For monitoring reasons I try to change the return code of a domain
> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration
> of
> BIND9.16.42 as follows:
>
> example.com IN CNAME.
>
> *.example.com IN CNAME .
>
> But it still doesn't work, I still have the message  " SERVFAIL", is
> it feasible or not please ?
>
> Kind regards
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm>

------------------------------

Message: 3
Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT)
From: Fred Morris <m3047 at m3047.net<mailto:m3047 at m3047.net>>
To: "bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>" <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID: <alpine.LSU.2.21.2306162134190.27806 at flame.m3047<mailto:alpine.LSU.2.21.2306162134190.27806 at flame.m3047>>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ.

I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!)

--

Fred Morris

On Fri, 16 Jun 2023, Crist Clark wrote:
>
> That should return a NXDOMAIN. Returning SERVFAIL is never a normal
> RPZ action. Something is wrong with your configuration.
>
> On Fri, Jun 16, 2023 at 1:39?PM <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>> wrote:
>>
>> For monitoring reasons I try to change the return code of a domain
>> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration
>> of
>> BIND9.16.42 as follows:
>>
>> example.com IN CNAME.
>>
>> *.example.com IN CNAME .
>>
>> But it still doesn't work, I still have the message  " SERVFAIL", is
>> it feasible or not please ?
>>

------------------------------

Message: 4
Date: Sat, 17 Jun 2023 07:22:50 +0200
From: Ond?ej Sur? <ondrej at isc.org<mailto:ondrej at isc.org>>
To: Fred Morris <m3047 at m3047.net<mailto:m3047 at m3047.net>>
Cc: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID: <F1DB32B3-CD74-44F3-8589-ED3386CBCA70 at isc.org<mailto:F1DB32B3-CD74-44F3-8589-ED3386CBCA70 at isc.org>>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: favicon.ico
Type: image/x-icon
Size: 766 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.bin>

------------------------------

Subject: Digest Footer

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users


------------------------------

End of bind-users Digest, Vol 4262, Issue 1
*******************************************
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230619/8f38185e/attachment-0001.htm>

More information about the bind-users mailing list