Hi all, BIND version: 9.11.21 OS: RHEL 7 Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local overrides blacklist/whitelist). The response-policy and RPZ zones configurations are as follows response-policy { zone "rpz.local.whitelist" policy passthru; zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com; zone "rpz.whitelist" policy passthru; zone "rpz.blacklist" policy cname sinkhole-feed.domain.com; }; zone "rpz.local.whitelist"{ type master; file "zones/master/rpz.local.whitelist.db"; allow-query { localhost; }; }; zone "rpz.local.blacklist" { type master; file "zones/master/rpz.local.blacklist.db"; allow-query { localhost; }; }; zone "rpz.whitelist"{ type master; file "zones/master/rpz.whitelist.db"; allow-query { localhost; }; }; zone "rpz.blacklist" { type master; file "zones/master/rpz.blacklist.db"; allow-query { localhost; }; }; Contents of zones that are relevant to the issue # grep "*\.live\.com" rpz.* rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru. # dig @dnsserver onedrive.live.com ;; QUESTION SECTION: ;onedrive.live.com. IN A ;; ANSWER SECTION: onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com. sinkhole-feed.domain.com. 900 IN A 127.66.66.66 I would expect the rpz.whitelist would allow *.live.com (passthru). However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works # grep "*\.live\.com" rpz.* rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru. rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru. # dig @dnsserver onedrive.live.com ;; QUESTION SECTION: ;onedrive.live.com. IN A ;; ANSWER SECTION: onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net. odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net . odc-web-brs.onedrive.akadns.net. 36 IN CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN CNAME l-0004.l-msedge.net. l-0004.l-msedge.net. 240 IN A 13.107.42.13 RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be. I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21, and all produce the same issue. Has anyone experienced a similar issue here? or have I mis-configured something? Thanks myOcella
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users