rpz_rewrite(): failure

[Wilfred Sarmiento]

Hi Bind Users,

Any one familiar with the error we encountered on DNS BIND 9.18.2 Ubuntu
for DNS Caching, below;

We are using RPZ for redirecting domains (porn sites) where we already have
20k+ entries.
The domain (globem2m.com.ph) from below logs is not in the RPZ list but was
processed for RPZ QNAME rewrite, based on the logs, and query to that
domain results to SERVFAIL.
The issue is isolated to several domains only including globem2m.com.ph,
all other queries to different domains are successful.

To resolve this issue, we have to flush cache or restart the BIND service.

root at bind# nslookup globem2m.com.ph <server ip>


** server can't find globem2m.com.ph: SERVFAIL

Trace logs:

: query (cache) 'globem2m.com.ph/A/IN' approved

: rpz QNAME rewrite globem2m.com.ph stop on qresult in rpz_rewrite():
failure

: query failed (failure) for globem2m.com.ph/IN/A at query.c:7657

fetch completed at resolver.c:4053 for globem2m.com.ph/A in 0.000000:
failure/success [domain:com.ph
,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

: reset client

: servfail cache hit globem2m.com.ph/A (CD=0)

: query failed (SERVFAIL) for globem2m.com.ph/IN/A at query.c:6949

: reset client

Thank you,
Wil

-- 
This e-mail message (including attachments, if any) is intended for the use 
of the individual or the entity to whom it is addressed and may contain 
information that is privileged, proprietary, confidential and exempt from 
disclosure. If you are not the intended recipient, you are notified that 
any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender and delete this E-mail message immediately.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230509/398bb88f/attachment.htm>