RPZ answer me NXDOMAIN for some domain

[BONIN Nathanael]

Hi there,

We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain !

We have 2 NS server : Recursive one (let's call him SrvA) and one bebind (let's call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.

If we took a little diagram, we have :

User ===== > SrvB ===== > SrvA ===== > Internet

If we create an A record tatata.google.com / 2.3.4.5 (that doesn't exist at google.com) on RPZ zone :


  *   On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT !
  *   On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL !

BUT

If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn't exist at biopyrenees.net) on RPZ zone :


  *   On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => YOUPI !
  *   On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => WHATTTT ?

Why for some domain, the RPZ isn't working ?

An exemple of what I wrote on my RPZ zone :

tatata.google.com                       A       2.3.4.5
sri.biopyrenees.net                     A      3.4.5.6

Is it normal ? Is there a way to have the good answer on my SrvB ?

With tcpdump, I see the same behavior with a record that works and with the record that doesn't work...

Thanks for your help.

Nath.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/07aadaf3/attachment.htm>