RPZ answer me NXDOMAIN for some domain

BONIN Nathanael BONIN.N at mipih.fr
Wed Mar 22 13:26:39 UTC 2023 

Hi Ondrej !

I think you found the answer !!! It seems that the problem is DNSSEC. The biopyrenees.net seems to have a dnssec sig :

dig @127.0.0.1 biopyrenees.net +dnssec +short
213.186.33.5
A 8 2 3600 20230414114926 20230315114926 1266 biopyrenees.net. uUm5BxSqUJFyBhFCkT20zcqD+VkxCOJ47KxDqzvLoaMLMPPwTLtxtseM /CW3hCeEAMGgxyGO/10N97jPLSTKZXlfrqC2DTgKbu27U7fE6gJtArRC LgIAv17ivw/mIyQT4WQzOLtJnCLc0wL/Ak3nHYG+eXV4CWmPVSPe9AXE JFY=

If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted to !!! Thanks. But what I don’t understand is why, when I use directly SrvA (server that have RPZ zone), it works ?

Thanks for your time 😉

Nath.


[cid:image002.png at 01D7D25A.A81420E0]

Nathanaël BONIN
Ingénieur système Linux et supervision
DO-HDS
Tél. 05.67.69.72.95
bonin.n at mipih.fr<mailto:bonin.n at mipih.fr>

2 Impasse Michel Labrousse, 31100 Toulouse







De : Ondřej Surý <ondrej at isc.org>
Envoyé : mercredi 22 mars 2023 14:12
À : BONIN Nathanael <BONIN.N at mipih.fr>
Cc : bind-users at lists.isc.org
Objet : Re: RPZ answer me NXDOMAIN for some domain

Hi,

look for break-dnssec in https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.


On 22. 3. 2023, at 12:52, BONIN Nathanael <BONIN.N at mipih.fr<mailto:BONIN.N at mipih.fr>> wrote:

Hi there,

We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain !

We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.

If we took a little diagram, we have :

User ===== > SrvB ===== > SrvA ===== > Internet

If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist at google.com) on RPZ zone :


  1.  On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT !
  2.  On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL !

BUT

If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t exist at biopyrenees.net) on RPZ zone :


  1.  On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => YOUPI !
  2.  On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => WHATTTT ?

Why for some domain, the RPZ isn’t working ?

An exemple of what I wrote on my RPZ zone :

tatata.google.com                       A       2.3.4.5
sri.biopyrenees.net                     A      3.4.5.6

Is it normal ? Is there a way to have the good answer on my SrvB ?

With tcpdump, I see the same behavior with a record that works and with the record that doesn’t work…

Thanks for your help.

Nath.





--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/564f663b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1424 bytes
Desc: image001.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/564f663b/attachment-0001.png>

More information about the bind-users mailing list