I enabled debug and query logs for BIND and no, it's not look like caching problems...
Do you have any idea how to force BIND look for CNAMEd name in RPZ? I tried to analyze source codes, and it seems that this line prohibits to apply policy on the second iteration: https://gitlab.isc.org/isc-projects/bind9/blob/master/lib%2Fns%2Fquery.c#L3918 Because in this moment st->state & DNS_RPZ_REWRITTEN == 1, query _has been already rewritten_ by RPZ. Unfortunately commenting out this line leads to assertion failed later, in query_addrdataset() :) Andrey 24.10.2019, 02:00, "m3047" <m3...@m3047.net>: > Hello... > > On Wed, 23 Oct 2019, Andrey Geyn wrote: >> [...] >> I don't understand why your tests for "cname.example.com" and >> "cname.test.m3047.net" differ >> (first one returns only >> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. > > I didn't understand this as well. Is it something about caching perhaps? I > thought perhaps example.com, being well-known, was somehow confounding the > results. > >> second one returns two RRs: >> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. >> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128) > > Notwithstanding that this is WRONG, because actual.test.m3047.net is in > the RPZ, it did try to follow the CNAME chain it just failed to apply the > policy to the A record. However querying the RPZ explicitly: > > CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET. > ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10 > > would /appear/ to be retrieving the result for the CNAME from the RPZ as a > regular zone not a policy zone, as intended, but then subjects the A > record to the RPZ policy! > >> 23.10.2019, 21:49, "m3047" <m3...@m3047.net>: >>> [...] >>> # dig cname.example.com >>> >>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 >>> >>> ;; QUESTION SECTION: >>> ;cname.example.com. IN A >>> >>> ;; ANSWER SECTION: >>> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. >>> >>> ;; AUTHORITY SECTION: >>> EXAMPLE.COM. 3600 IN SOA ns.icann.org. >>> noc.dns.icann.org. 2019101506 7200 3600 1209600 3600 >>> >>> ;; ADDITIONAL SECTION: >>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. >>> 260 600 60 86400 600 >>> >>> ;; Query time: 1142 msec >>> ;; SERVER: 10.0.0.220#53(10.0.0.220) >>> ;; WHEN: Wed Oct 23 09:03:34 2019 >>> ;; MSG SIZE rcvd: 209 >>> >>> # dig test.example.com >>> >>> ; <<>> DiG 9.8.3-P1 <<>> test.example.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 >>> >>> ;; QUESTION SECTION: >>> ;test.example.com. IN A >>> >>> ;; ANSWER SECTION: >>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 >>> >>> ;; AUTHORITY SECTION: >>> rpz1.m3047.net. 900 IN NS LOCALHOST. >>> >>> ;; ADDITIONAL SECTION: >>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. >>> 260 600 60 86400 600 >>> >>> ;; Query time: 10 msec >>> ;; SERVER: 10.0.0.220#53(10.0.0.220) >>> ;; WHEN: Wed Oct 23 09:04:38 2019 >>> ;; MSG SIZE rcvd: 162 >>> >>> # dig cname.example.com.rpz1.m3047.net >>> >>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 >>> >>> ;; QUESTION SECTION: >>> ;cname.example.com.rpz1.m3047.net. IN A >>> >>> ;; ANSWER SECTION: >>> CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM. >>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 >>> >>> ;; AUTHORITY SECTION: >>> rpz1.m3047.net. 900 IN NS LOCALHOST. >>> >>> ;; ADDITIONAL SECTION: >>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. >>> 260 600 60 86400 600 >>> >>> ;; Query time: 8 msec >>> ;; SERVER: 10.0.0.220#53(10.0.0.220) >>> ;; WHEN: Wed Oct 23 09:07:46 2019 >>> ;; MSG SIZE rcvd: 224 >>> >>> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) >>> [Clang 6.0 (clang-600.0.57)] on darwin >>> Type "help", "copyright", "credits" or "license" for more information. >>>>>> from socket import getaddrinfo >>>>>> getaddrinfo('cname.example.com',80) >>> >>> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', >>> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, >>> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))] >>> >>> # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net. >>> # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10 >>> >>> Note that *.m3047.net is wildcarded. >>> >>> # dig cname.test.m3047.net >>> >>> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 >>> >>> ;; QUESTION SECTION: >>> ;cname.test.m3047.net. IN A >>> >>> ;; ANSWER SECTION: >>> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. >>> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128 >>> >>> ;; AUTHORITY SECTION: >>> m3047.net. 7200 IN NS dns1.encirca.net. >>> m3047.net. 7200 IN NS dns2.encirca.net. >>> >>> ;; ADDITIONAL SECTION: >>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. >>> 262 600 60 86400 600 >>> dns1.encirca.net. 97039 IN A 108.166.170.106 >>> dns2.encirca.net. 97039 IN A 64.62.200.132 >>> >>> ;; Query time: 178 msec >>> ;; SERVER: 10.0.0.220#53(10.0.0.220) >>> ;; WHEN: Wed Oct 23 09:25:08 2019 >>> ;; MSG SIZE rcvd: 249 >>> >>> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) >>> [Clang 6.0 (clang-600.0.57)] on darwin >>> Type "help", "copyright", "credits" or "license" for more information. >>>>>> from socket import getaddrinfo >>>>>> getaddrinfo('cname.test.m3047.net',80) >>> >>> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', >>> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, >>> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))] >>> >>> # dig cname.test.m3047.net.rpz1.m3047.net >>> >>> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 >>> >>> ;; QUESTION SECTION: >>> ;cname.test.m3047.net.rpz1.m3047.net. IN A >>> >>> ;; ANSWER SECTION: >>> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET. >>> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10 >>> >>> ;; AUTHORITY SECTION: >>> rpz1.m3047.net. 900 IN NS LOCALHOST. >>> >>> ;; ADDITIONAL SECTION: >>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. >>> 262 600 60 86400 600 >>> >>> ;; Query time: 8 msec >>> ;; SERVER: 10.0.0.220#53(10.0.0.220) >>> ;; WHEN: Wed Oct 23 09:41:29 2019 >>> ;; MSG SIZE rcvd: 235 >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users