Re: Internal CNAME in RPZ

Wed, 23 Oct 2019 09:50:28 -0700 

Hi, so Andrey,
Your output doesn't reflect what I would expect to see from an RPZ-mediated query, but rather what I would expect to see if querying a zone, such as the RPZ itself, directly. So I am not sure I understand your question. 


To the broader ISC community: however, I'm confused by the response I'm 
getting. Oddly enough dig is giving me the unexpected results, and 
(Python) socket.getaddrinfo() does what I expect. It appears that CNAME 
resolution within RPZ is escaping...


On Wed, 23 Oct 2019, Andrey Geyn wrote:


Date: Wed, 23 Oct 2019 19:34:39 +0500
From: Andrey Geyn <andg...@yandex-team.ru>
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: Internal CNAME in RPZ

Hello, I would like to set up RPZ with CNAME and A. There are two options:
 
1.
cname.domain.com        CNAME   test.domain.com    (without trailing dot)
test.domain.com         A       10.10.10.10


Trailing dot is needed.


2.
cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
test.domain.com         A       10.10.10.10


Yes I believe this to be correct.


# dig cname.domain.com @127.0.0.1

cname.domain.com.       5       IN      CNAME   test.domain.com.
test.domain.com.        531     IN      A       66.96.162.92
 


# net-dns.pl add rpz cname.example.com CNAME test.example.com.
# net-dns.pl add rpz test.example.com A 10.10.10.10

Here's the answer I didn't expect, from dig:

# dig +short cname.example.com TEST.EXAMPLE.COM.
# dig +short test.example.com 10.10.10.10


It did not follow the CNAME chain. Here's what I expected, from 
getaddrinfo():



from socket import getaddrinfo
getaddrinfo('cname.example.com',80)

[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]



All the rest of the queries follow. The recursive resolver (at 10.0.0.220) 
is running 9.12.3-p1. I tested with versions of dig up to and including 
9.12.3-p1



Notice that in the very first test below the AUTHORITY refers to 
icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated 
with a different domain with the rationale that example.com was 
confounding results, and got something similar.



Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net 
does the reverse, looking up actual.test.m3047.net from the RPZ instead of 
the real world.


--

Fred Morris

--

# dig cname.example.com

; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com.             IN      A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM.      5       IN      CNAME   TEST.EXAMPLE.COM.

;; AUTHORITY SECTION:

EXAMPLE.COM.		3600	IN	SOA	ns.icann.org. 
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600


;; ADDITIONAL SECTION:

rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600


;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE  rcvd: 209

#  dig test.example.com

; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.example.com.              IN      A

;; ANSWER SECTION:
TEST.EXAMPLE.COM.       5       IN      A       10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.         900     IN      NS      LOCALHOST.

;; ADDITIONAL SECTION:

rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600


;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE  rcvd: 162

# dig cname.example.com.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN   A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME  TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM.       5       IN      A       10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.         900     IN      NS      LOCALHOST.

;; ADDITIONAL SECTION:

rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
260 600 60 86400 600


;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE  rcvd: 224

Python 3.7.4 (v3.7.4:e09359112e, Jul  8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.

from socket import getaddrinfo
getaddrinfo('cname.example.com',80)

[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]


# net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
# net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10

Note that *.m3047.net is wildcarded.

# dig cname.test.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;cname.test.m3047.net.          IN      A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET.   5       IN      CNAME   ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.  7200    IN      A       209.221.140.128

;; AUTHORITY SECTION:
m3047.net.              7200    IN      NS      dns1.encirca.net.
m3047.net.              7200    IN      NS      dns2.encirca.net.

;; ADDITIONAL SECTION:

rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
262 600 60 86400 600

dns1.encirca.net.       97039   IN      A       108.166.170.106
dns2.encirca.net.       97039   IN      A       64.62.200.132

;; Query time: 178 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:25:08 2019
;; MSG SIZE  rcvd: 249

Python 3.7.4 (v3.7.4:e09359112e, Jul  8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.

from socket import getaddrinfo
getaddrinfo('cname.test.m3047.net',80)

[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', 
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, 
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]


# dig cname.test.m3047.net.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.test.m3047.net.rpz1.m3047.net. IN        A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.  5       IN      A       10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net.         900     IN      NS      LOCALHOST.

;; ADDITIONAL SECTION:

rpz1.m3047.net.		1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
262 600 60 86400 600


;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:41:29 2019
;; MSG SIZE  rcvd: 235

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to