RPZ answer me NXDOMAIN for some domain

Greg Choules gregchoules+bindusers at googlemail.com
Wed Mar 22 13:12:49 UTC 2023 

Hi Nath.
What have you got on SrvB for biopyrenees.net, or net?
On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the
actual address rather than "localhost") and paste the full result here. I
am interested in flags and the query time right now.

Cheers, Greg

On Wed, 22 Mar 2023 at 11:52, BONIN Nathanael <BONIN.N at mipih.fr> wrote:

> Hi there,
>
>
>
> We are using RPZ zone for some times now, but recently we found a weird
> behavior from some domains. Let me explain !
>
>
>
> We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind
> (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on
> SrvA.
>
>
>
> If we took a little diagram, we have :
>
>
>
> User ===== > SrvB ===== > SrvA ===== > Internet
>
>
>
> If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist
> at google.com) on RPZ zone :
>
>
>
>    - On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5
>    => GREAT !
>    - On SrvB with : dig @localhost tatata.google.com (that point on
>    SrvA), we got IP : 2.3.4.5 => WONDERFUL !
>
>
>
> BUT
>
>
>
> If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t
> exist at biopyrenees.net) on RPZ zone :
>
>
>
>    - On SrvA with : dig @localhost sri.biopyrenees.net, we got IP :
>    3.4.5.6 => YOUPI !
>    - On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN
>    => WHATTTT ?
>
>
>
> Why for some domain, the RPZ isn’t working ?
>
>
>
> An exemple of what I wrote on my RPZ zone :
>
>
>
> tatata.google.com                       A       2.3.4.5
>
> sri.biopyrenees.net                     A      3.4.5.6
>
>
>
> Is it normal ? Is there a way to have the good answer on my SrvB ?
>
>
>
> With tcpdump, I see the same behavior with a record that works and with
> the record that doesn’t work…
>
>
>
> Thanks for your help.
>
>
>
> Nath.
>
>
>
>
>
>
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/f1afe5ff/attachment-0001.htm>

More information about the bind-users mailing list