Should be:
response-policy {zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;
Vadim
> On 09 Aug 2018, at 20:50, Blason R <[email protected]> wrote:
>
> This is the error I am getting
>
> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'
>
> On Fri, Aug 10, 2018 at 9:10 AM Blason R <[email protected]
> <mailto:[email protected]>> wrote:
> Hi there,
>
> Where it should appear? ARM says it should appear inl Global-section of
> response-policy which I tried but getting error.
>
> response-policy {zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block";
> };
> qname-wait-recurse no;
> break-dnssec no;
>
>
> On Fri, Aug 10, 2018 at 8:09 AM Blason R <[email protected]
> <mailto:[email protected]>> wrote:
> Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall
> gardened. And in my scenario users are talking to windows based AD/DNS server
> and then that server has forwarder set to RPZ.
>
> First issue; I observed certain entries from BIND/RPZ zone are being resolved
> by windows server directly to their original IPs and not the wall-gardened
> IP. Where I believe once the forwarder is set all those queries should have
> been routed to RPZ server? [If anyone here having Windows DNS expertise, pls
> help]
> And another, certain RPZ queries if queried through AD/DNS server are not at
> all getting resolved. When I captured packets on BIND/RPZ server I see that
> those domains are getting NXdomain by RPZ and not sure why.
> Thanks and Regards,
> Lionel F
>
> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[email protected]
> <mailto:[email protected]>> wrote:
>
> On Thu, Aug 9, 2018 at 9:31 AM Blason R <[email protected]
> <mailto:[email protected]>> wrote:
> For example this one.
>
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> 0351dag.com <http://0351dag.com/>. (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain
> 0/1/0 (102)
>
> With RPZ, the name is looked up normally first, and only if there is an
> answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that
> and does not use RPZ.
> If that is not what you want, then you probably want to set the option:
> qname-wait-recurse no;
>
> --
> Bob Harold
>
>
>
>
> On Thu, Aug 9, 2018 at 6:59 PM Blason R <[email protected]
> <mailto:[email protected]>> wrote:
> Hi Bind-Users,
>
> I would really appreciate if someone can help me understanding my issue with
> BIND RPZ server?
>
> I have one windows server say 192.168.1.42 and then RPZ server with
> 192.168.1.179. I noticed that there are certain domains which are not getting
> resolved from end users.
>
> Ideally since those end user has 192.168.1.42 DNS Server set and has
> forwarder set to 192.168.1.179 should forward all queries to 1.179, right?
>
> But certain domains from my response-policy are even though wall-gardened
> those are being catered as NXdomain.
>
> Anything I am missing pertaining to RPZ?
>
> Or if I am querying all those domains directly to RPZ server then I am
> getting proper answer. This issue is noticed when I have forwarder server is
> between
>
> options {
> version "test";
> allow-query { localhost;subnets; };
> directory "/var/cache/bind";
> recursion yes;
> querylog yes;
> forwarders {
> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
> };
> // dnssec-validation auto;
> request-ixfr yes;
> auth-nxdomain no; # conform to RFC1035
> // listen-on-v6 { any; };
> listen-on port 53 { any; };
> listen-on port 15455 {any;};
> response-policy { zone "whitelist.allow" policy passthru;
> zone "wg.block";
> zone "bad.trap";
> zone "block.tld";
> zone "ransomwareips.block"; };
> };
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
