Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.
1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help] 2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why. Thanks and Regards, Lionel F On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <rharo...@umich.edu> wrote: > > On Thu, Aug 9, 2018 at 9:31 AM Blason R <blaso...@gmail.com> wrote: > >> For example this one. >> >> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >> 0351dag.com. (29) >> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain >> 0/1/0 (102) >> > > With RPZ, the name is looked up normally first, and only if there is an > answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that > and does not use RPZ. > If that is not what you want, then you probably want to set the option: > qname-wait-recurse no; > > -- > Bob Harold > > > > >> >> On Thu, Aug 9, 2018 at 6:59 PM Blason R <blaso...@gmail.com> wrote: >> >>> Hi Bind-Users, >>> >>> I would really appreciate if someone can help me understanding my issue >>> with BIND RPZ server? >>> >>> I have one windows server say 192.168.1.42 and then RPZ server with >>> 192.168.1.179. I noticed that there are certain domains which are not >>> getting resolved from end users. >>> >>> Ideally since those end user has 192.168.1.42 DNS Server set and has >>> forwarder set to 192.168.1.179 should forward all queries to 1.179, right? >>> >>> But certain domains from my response-policy are even though >>> wall-gardened those are being catered as NXdomain. >>> >>> Anything I am missing pertaining to RPZ? >>> >>> Or if I am querying all those domains directly to RPZ server then I am >>> getting proper answer. This issue is noticed when I have forwarder server >>> is between >>> >>> options { >>> version "test"; >>> allow-query { localhost;subnets; }; >>> directory "/var/cache/bind"; >>> recursion yes; >>> querylog yes; >>> forwarders { >>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; >>> }; >>> // dnssec-validation auto; >>> request-ixfr yes; >>> auth-nxdomain no; # conform to RFC1035 >>> // listen-on-v6 { any; }; >>> listen-on port 53 { any; }; >>> listen-on port 15455 {any;}; >>> response-policy { zone "whitelist.allow" policy passthru; >>> zone "wg.block"; >>> zone "bad.trap"; >>> zone "block.tld"; >>> zone "ransomwareips.block"; }; >>> }; >>> >>>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users