RPZ answer me NXDOMAIN for some domain

BONIN Nathanael BONIN.N at mipih.fr
Wed Mar 22 13:24:05 UTC 2023 

Hi Greg.

From SrvB for biopyrenees.net :

; <<>> DiG 9.16.37-Debian <<>> @127.0.0.1 biopyrenees.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50982
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cc07cc9125ef093101000000641b008931c676424c93bf4b (good)
;; QUESTION SECTION:
;biopyrenees.net.               IN      A

;; ANSWER SECTION:
biopyrenees.net.        3529    IN      A       213.186.33.5

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 22 14:20:09 CET 2023
;; MSG SIZE  rcvd: 88

And for sri.biopyrenees.net :

; <<>> DiG 9.16.37-Debian <<>> @127.0.0.1 sri.biopyrenees.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58873
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: da87ba8a639bb3e001000000641b00a6bedb081dc74b36fd (good)
;; QUESTION SECTION:
;sri.biopyrenees.net.           IN      A

;; AUTHORITY SECTION:
biopyrenees.net.        60      IN      SOA     dns18.ovh.net. tech.ovh.net. 2023031501 86400 3600 3600000 60

;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 22 14:20:38 CET 2023
;; MSG SIZE  rcvd: 130

Thanks !

[cid:image002.png at 01D7D25A.A81420E0]

Nathanaël BONIN
Ingénieur système Linux et supervision
DO-HDS
Tél. 05.67.69.72.95
bonin.n at mipih.fr<mailto:bonin.n at mipih.fr>

2 Impasse Michel Labrousse, 31100 Toulouse







De : Greg Choules <gregchoules+bindusers at googlemail.com>
Envoyé : mercredi 22 mars 2023 14:13
À : BONIN Nathanael <BONIN.N at mipih.fr>
Cc : bind-users at lists.isc.org
Objet : Re: RPZ answer me NXDOMAIN for some domain

Hi Nath.
What have you got on SrvB for biopyrenees.net<http://biopyrenees.net>, or net?
On SrvB, please do "dig @127.0.0.1<http://127.0.0.1> sri.biopyrenees.net<http://sri.biopyrenees.net>" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now.

Cheers, Greg

On Wed, 22 Mar 2023 at 11:52, BONIN Nathanael <BONIN.N at mipih.fr<mailto:BONIN.N at mipih.fr>> wrote:
Hi there,

We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain !

We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.

If we took a little diagram, we have :

User ===== > SrvB ===== > SrvA ===== > Internet

If we create an A record tatata.google.com<http://tatata.google.com> / 2.3.4.5 (that doesn’t exist at google.com<http://google.com>) on RPZ zone :


  *   On SrvA with : dig @localhost tatata.google.com<http://tatata.google.com> we got IP : 2.3.4.5 => GREAT !
  *   On SrvB with : dig @localhost tatata.google.com<http://tatata.google.com> (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL !

BUT

If we create another A record sri.biopyrenees.net<http://sri.biopyrenees.net> / 3.4.5.6 (that doesn’t exist at biopyrenees.net<http://biopyrenees.net>) on RPZ zone :


  *   On SrvA with : dig @localhost sri.biopyrenees.net<http://sri.biopyrenees.net>, we got IP : 3.4.5.6 => YOUPI !
  *   On SrvB with : dig @localhost sri.biopyrenees.net<http://sri.biopyrenees.net>, we got : NXDOMAIN => WHATTTT ?

Why for some domain, the RPZ isn’t working ?

An exemple of what I wrote on my RPZ zone :

tatata.google.com<http://tatata.google.com>                       A       2.3.4.5
sri.biopyrenees.net<http://sri.biopyrenees.net>                     A      3.4.5.6

Is it normal ? Is there a way to have the good answer on my SrvB ?

With tcpdump, I see the same behavior with a record that works and with the record that doesn’t work…

Thanks for your help.

Nath.





--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/be6c40bf/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1424 bytes
Desc: image001.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/be6c40bf/attachment-0001.png>

More information about the bind-users mailing list