Re: RPZ behavior for authoritative servers
On 2019-10-23 18:14, Mik J via bind-users wrote: Hi, I know that the RPZ functionality aims to block/redirect/log DNS queries from the inner network. What about the authoritative DNS facing the Internet ? I receive some spam, I get probed on my webservers etc. Many of these annoiyances start with a DNS query. What is mydomain.org ? My DNS answers 1.2.3.4 Then the annoyances starts on port 25 or 80 or 443... So my question is this one. Is it possible to load a list of IP clients and/or networks that can be called the "zombie list" If a computer from the zombie list wants to resolve mydomain.org, my Here is where you err. You're assuming that you will know the source of the query and be able to associate a certain query with an attack. That's highly improbable. Most [probably all] of these annoyances are malware running on compromised machines. Malware usually makes an effort to stay small, and as such, it's likely to offload as much as it can to the system libraries. Name resolution is a good candidate for offloading. The system library will send DNS queries to the nameserver[s] as received from DHCP. Those nameservers will do the recursion, and you will see the queries coming from ISP resolvers and open resolvers like Google's. DNS replies 127.0.0.1 or some IP that are allocated to an antartic network. Then, I never get annoyed. Even if you DO correctly pin the query to the attack, you do NOT want to poison Google's cache with misinformation. Sorry. Also, if you were to do something like this, please do NOT abuse real IP address holders, especially not our .AQ friends. I'm sure network lag there is bad enough without us making it worse. -CA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-Efficientip
Am 24.10.19 um 00:53 schrieb Mik J: > You won't do it within a night that's for sure add the delegation part for who can show and edit which zones? easily given that the whole backend was written basicly in a single night after the day we decided to move all dns zones from customers to our own infrastructure > But yes the vendors assemble components with a web interface and database. > But now it seems to me that all products add more intelligence. that's what you do after the basic stuff is rock solid to get rid of boring manual tasks on check lists what to look for after register / transfer a zone > For my own needs bind alone is all fine because I'm root. > But for 500+ users that need to view, modify some zones, import, export > I'm not sure that would be possible. the most interesting stuff here was "virtual cnames" or whatever it could be called that i can just add a hostname from within our own domain and it becomes replaced by the host-ip at the time the zone file is generated from the database record as well as put default MX records including the "honeypot backup-mx", presets for SPF, add helo-SPF for every host and null-MX combined with "v=spf1 -all" for zones without a MX record it's nice to pack as much as possible stuff in your own zone and press a button which generates 800 zones from scratch with current data and raise the serials > Le jeudi 24 octobre 2019 à 00:44:36 UTC+2, Reindl Harald > a écrit : > > Am 24.10.19 um 00:35 schrieb Mik J via bind-users: >> Efficient IP uses bind (+ nsd/unbound) as the DNS server. >> >> One major difference between Efficient IP and bind is when you want to >> delegate the zone configuration to users and groups. I think it's called >> role based management. >> So let's say you want team1 to have read/write access to the zone >> team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server. >> You can have team2 to be able to view all the content of the zone >> team1.cyberia.net.sa and so on. >> I don't think it's possible to do this on bind only / unix >> There are granular rights. >> >> The second thing it that DHCP, DNS, IPAM work together. You can automate >> the IP reservation and the DNS record creation for example. >> >> The ability to import/export data from csv or API SOAP/Rest >> >> Infoblox and Bluecat are other similar products along with a few others. > > at the end of the day it's just some interface utilizing the underlying > tools - i don't see why i couldn't expand my webinterface generating > zonefiles since 11 years now with some permission delegation within a > night if needed ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ behavior for authoritative servers
Hello, I know that the RPZ functionality aims to block/redirect/log DNS queries from the inner network. What about the authoritative DNS facing the Internet ? I receive some spam, I get probed on my webservers etc.Many of these annoiyances start with a DNS query. What is mydomain.org ? My DNS answers 1.2.3.4Then the annoyances starts on port 25 or 80 or 443... So my question is this one.Is it possible to load a list of IP clients and/or networks that can be called the "zombie list"If a computer from the zombie list wants to resolve mydomain.org, my DNS replies 127.0.0.1 or some IP that are allocated to an antartic network.Then, I never get annoyed. Something like a mix between RPZ and views on my authoritative DNS servers sitting on Internet. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-Efficientip
You won't do it within a night that's for sure.But yes the vendors assemble components with a web interface and database.But now it seems to me that all products add more intelligence. For my own needs bind alone is all fine because I'm root.But for 500+ users that need to view, modify some zones, import, export I'm not sure that would be possible. Le jeudi 24 octobre 2019 à 00:44:36 UTC+2, Reindl Harald a écrit : Am 24.10.19 um 00:35 schrieb Mik J via bind-users: > Efficient IP uses bind (+ nsd/unbound) as the DNS server. > > One major difference between Efficient IP and bind is when you want to > delegate the zone configuration to users and groups. I think it's called > role based management. > So let's say you want team1 to have read/write access to the zone > team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server. > You can have team2 to be able to view all the content of the zone > team1.cyberia.net.sa and so on. > I don't think it's possible to do this on bind only / unix > There are granular rights. > > The second thing it that DHCP, DNS, IPAM work together. You can automate > the IP reservation and the DNS record creation for example. > > The ability to import/export data from csv or API SOAP/Rest > > Infoblox and Bluecat are other similar products along with a few others. at the end of the day it's just some interface utilizing the underlying tools - i don't see why i couldn't expand my webinterface generating zonefiles since 11 years now with some permission delegation within a night if needed ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-Efficientip
Am 24.10.19 um 00:35 schrieb Mik J via bind-users: > Efficient IP uses bind (+ nsd/unbound) as the DNS server. > > One major difference between Efficient IP and bind is when you want to > delegate the zone configuration to users and groups. I think it's called > role based management. > So let's say you want team1 to have read/write access to the zone > team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server. > You can have team2 to be able to view all the content of the zone > team1.cyberia.net.sa and so on. > I don't think it's possible to do this on bind only / unix > There are granular rights. > > The second thing it that DHCP, DNS, IPAM work together. You can automate > the IP reservation and the DNS record creation for example. > > The ability to import/export data from csv or API SOAP/Rest > > Infoblox and Bluecat are other similar products along with a few others. at the end of the day it's just some interface utilizing the underlying tools - i don't see why i couldn't expand my webinterface generating zonefiles since 11 years now with some permission delegation within a night if needed ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Hello... On Wed, 23 Oct 2019, Andrey Geyn wrote: [...] I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ (first one returns only CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. I didn't understand this as well. Is it something about caching perhaps? I thought perhaps example.com, being well-known, was somehow confounding the results. second one returns two RRs: CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. ACTUAL.TEST.M3047.NET. 7200IN A 209.221.140.128) Notwithstanding that this is WRONG, because actual.test.m3047.net is in the RPZ, it did try to follow the CNAME chain it just failed to apply the policy to the A record. However querying the RPZ explicitly: CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET. ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10 would /appear/ to be retrieving the result for the CNAME from the RPZ as a regular zone not a policy zone, as intended, but then subjects the A record to the RPZ policy! 23.10.2019, 21:49, "m3047" : [...] # dig cname.example.com ; <<>> DiG 9.8.3-P1 <<>> cname.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;cname.example.com. IN A ;; ANSWER SECTION: CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. ;; AUTHORITY SECTION: EXAMPLE.COM. 3600 IN SOA ns.icann.org. noc.dns.icann.org. 2019101506 7200 3600 1209600 3600 ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 1142 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:03:34 2019 ;; MSG SIZE rcvd: 209 # dig test.example.com ; <<>> DiG 9.8.3-P1 <<>> test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;test.example.com. IN A ;; ANSWER SECTION: TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz1.m3047.net. 900 IN NS LOCALHOST. ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 10 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:04:38 2019 ;; MSG SIZE rcvd: 162 # dig cname.example.com.rpz1.m3047.net ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;cname.example.com.rpz1.m3047.net. IN A ;; ANSWER SECTION: CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM. TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz1.m3047.net. 900 IN NS LOCALHOST. ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 8 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:07:46 2019 ;; MSG SIZE rcvd: 224 Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) [Clang 6.0 (clang-600.0.57)] on darwin Type "help", "copyright", "credits" or "license" for more information. from socket import getaddrinfo getaddrinfo('cname.example.com',80) [(, , 17, '', ('10.10.10.10', 80)), (, , 6, '', ('10.10.10.10', 80))] # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net. # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10 Note that *.m3047.net is wildcarded. # dig cname.test.m3047.net ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;cname.test.m3047.net. IN A ;; ANSWER SECTION: CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128 ;; AUTHORITY SECTION: m3047.net. 7200 IN NS dns1.encirca.net. m3047.net. 7200 IN NS dns2.encirca.net. ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 262 600 60 86400 600 dns1.encirca.net. 97039 IN A 108.166.170.106 dns2.encirca.net. 97039 IN A 64.62.200.132 ;; Query time: 178 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:25:08 2019 ;; MSG SIZE rcvd: 249 Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) [Clang 6.0 (clang-600.0.57)] on darwin Type "help", "copyright", "credits" or "license" for more information. from socket import getaddrinfo getaddrinfo('cname.test.m3047.net',80) [(, , 17, '', ('10.10.10.10', 80)), (, , 6, '', ('10.10.10.10', 80))] # dig cname.test.m3047.net.rpz1.m3047.net ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;;
Re: Internal CNAME in RPZ
On Wed, Oct 23, 2019 at 10:21:08PM +0500, Andrey Geyn wrote: > Hi, Fred! > > Thank for your reply and tests. > The questions you ask are my questions too, just asked more professionally. > Thanks for it :) > > .../... > In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf: > """ > options { > response-policy {zone "rpz"; }; > } > zone "rpz" { > type master; > file "/etc/bind/rpz.zone"; > }; RPZ zone is only use internally to Bind. It doesn't need to be resolvable outside. So you can skip the zone declaration. If you need zone declaration (cause you have slaves for this zone), you can restrict access to it by adding "allow-query { slaves... };" on master and "allow-query {};" on slaves. sincerly, -- Julien << Vous n'avez rien a dire... Parlons-en! >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Hi, Fred! Thank for your reply and tests. The questions you ask are my questions too, just asked more professionally. Thanks for it :) Okay, let's use only variant with trailing dot, thank you for clarification. I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ (first one returns only CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. second one returns two RRs: CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. ACTUAL.TEST.M3047.NET. 7200IN A 209.221.140.128) In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf: """ options { response-policy {zone "rpz"; }; } zone "rpz" { type master; file "/etc/bind/rpz.zone"; }; """ And rpz.zone: """ $TTL 1H @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. cname.domain.comCNAME test.domain.com. test.domain.com A 10.10.10.10 """ So I run "dig cname.domain.com @127.0.0.1" and result is """ ... ;; QUESTION SECTION: ;cname.domain.com. IN A ;; ANSWER SECTION: cname.domain.com. 5 IN CNAME test.domain.com. test.domain.com.599 IN A 66.96.162.92 ;; AUTHORITY SECTION: . 5211IN NS c.root-servers.net. . 5211IN NS e.root-servers.net. . 5211IN NS k.root-servers.net. . 5211IN NS l.root-servers.net. . 5211IN NS g.root-servers.net. . 5211IN NS d.root-servers.net. . 5211IN NS i.root-servers.net. . 5211IN NS a.root-servers.net. . 5211IN NS b.root-servers.net. . 5211IN NS m.root-servers.net. . 5211IN NS f.root-servers.net. . 5211IN NS h.root-servers.net. . 5211IN NS j.root-servers.net. ... """ (as for you in second test). And yes, resolving via RPZ suffix is working as well: # dig cname.domain.com.rpz @127.0.0.1 ; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> cname.domain.com.rpz @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20714 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 33d9dfa596759fe554fb08f15db08b141f084f760f479882 (good) ;; QUESTION SECTION: ;cname.domain.com.rpz. IN A ;; ANSWER SECTION: cname.domain.com.rpz. 3600IN CNAME test.domain.com. test.domain.com.5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz.3600IN NS LOCALHOST. Andrey 23.10.2019, 21:49, "m3047" : > Hi, so Andrey, > > Your output doesn't reflect what I would expect to see from an > RPZ-mediated query, but rather what I would expect to see if querying a > zone, such as the RPZ itself, directly. So I am not sure I understand your > question. > > To the broader ISC community: however, I'm confused by the response I'm > getting. Oddly enough dig is giving me the unexpected results, and > (Python) socket.getaddrinfo() does what I expect. It appears that CNAME > resolution within RPZ is escaping... > > On Wed, 23 Oct 2019, Andrey Geyn wrote: > >> Date: Wed, 23 Oct 2019 19:34:39 +0500 >> From: Andrey Geyn >> To: "bind-users@lists.isc.org" >> Subject: Internal CNAME in RPZ >> >> Hello, I would like to set up RPZ with CNAME and A. There are two options: >> >> 1. >> cname.domain.com CNAME test.domain.com (without trailing dot) >> test.domain.com A 10.10.10.10 > > Trailing dot is needed. > >> 2. >> cname.domain.com CNAME test.domain.com. (with trailing dot) >> test.domain.com A 10.10.10.10 > > Yes I believe this to be correct. > >> # dig cname.domain.com @127.0.0.1 >> >> cname.domain.com. 5 IN CNAME test.domain.com. >> test.domain.com. 531 IN A 66.96.162.92 > > # net-dns.pl add rpz cname.example.com CNAME test.example.com. > # net-dns.pl add rpz test.example.com A 10.10.10.10 > > Here's the answer I didn't expect, from dig: > > # dig +short cname.example.com TEST.EXAMPLE.COM. > # dig +short test.example.com 10.10.10.10 > > It did not follow the CNAME chain. Here's what I expected, from > getaddrinfo(): > from socket import getaddrinfo getaddrinfo('cname.example.com',80) > > [(, , 17, '', > ('10.10.10.10', 80)), (, > , 6, '', ('10.10.10.10', 80))] > > All the rest of the queries follow. The recursive resolver (at 10.0.0.220) > is running 9.12.3-p1. I tested with versions of dig up to and including > 9.12.3-p1 > > Notice
Re: Internal CNAME in RPZ
Hi, so Andrey, Your output doesn't reflect what I would expect to see from an RPZ-mediated query, but rather what I would expect to see if querying a zone, such as the RPZ itself, directly. So I am not sure I understand your question. To the broader ISC community: however, I'm confused by the response I'm getting. Oddly enough dig is giving me the unexpected results, and (Python) socket.getaddrinfo() does what I expect. It appears that CNAME resolution within RPZ is escaping... On Wed, 23 Oct 2019, Andrey Geyn wrote: Date: Wed, 23 Oct 2019 19:34:39 +0500 From: Andrey Geyn To: "bind-users@lists.isc.org" Subject: Internal CNAME in RPZ Hello, I would like to set up RPZ with CNAME and A. There are two options: 1. cname.domain.com CNAME test.domain.com (without trailing dot) test.domain.com A 10.10.10.10 Trailing dot is needed. 2. cname.domain.com CNAME test.domain.com. (with trailing dot) test.domain.com A 10.10.10.10 Yes I believe this to be correct. # dig cname.domain.com @127.0.0.1 cname.domain.com. 5 IN CNAME test.domain.com. test.domain.com. 531 IN A 66.96.162.92 # net-dns.pl add rpz cname.example.com CNAME test.example.com. # net-dns.pl add rpz test.example.com A 10.10.10.10 Here's the answer I didn't expect, from dig: # dig +short cname.example.com TEST.EXAMPLE.COM. # dig +short test.example.com 10.10.10.10 It did not follow the CNAME chain. Here's what I expected, from getaddrinfo(): from socket import getaddrinfo getaddrinfo('cname.example.com',80) [(, , 17, '', ('10.10.10.10', 80)), (, , 6, '', ('10.10.10.10', 80))] All the rest of the queries follow. The recursive resolver (at 10.0.0.220) is running 9.12.3-p1. I tested with versions of dig up to and including 9.12.3-p1 Notice that in the very first test below the AUTHORITY refers to icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated with a different domain with the rationale that example.com was confounding results, and got something similar. Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net does the reverse, looking up actual.test.m3047.net from the RPZ instead of the real world. -- Fred Morris -- # dig cname.example.com ; <<>> DiG 9.8.3-P1 <<>> cname.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;cname.example.com. IN A ;; ANSWER SECTION: CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. ;; AUTHORITY SECTION: EXAMPLE.COM. 3600 IN SOA ns.icann.org. noc.dns.icann.org. 2019101506 7200 3600 1209600 3600 ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 1142 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:03:34 2019 ;; MSG SIZE rcvd: 209 # dig test.example.com ; <<>> DiG 9.8.3-P1 <<>> test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;test.example.com. IN A ;; ANSWER SECTION: TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz1.m3047.net. 900 IN NS LOCALHOST. ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 10 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:04:38 2019 ;; MSG SIZE rcvd: 162 # dig cname.example.com.rpz1.m3047.net ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;cname.example.com.rpz1.m3047.net. IN A ;; ANSWER SECTION: CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM. TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz1.m3047.net. 900 IN NS LOCALHOST. ;; ADDITIONAL SECTION: rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. 260 600 60 86400 600 ;; Query time: 8 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Wed Oct 23 09:07:46 2019 ;; MSG SIZE rcvd: 224 Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) [Clang 6.0 (clang-600.0.57)] on darwin Type "help", "copyright", "credits" or "license" for more information. from socket import getaddrinfo getaddrinfo('cname.example.com',80) [(, , 17, '', ('10.10.10.10', 80)), (, , 6, '', ('10.10.10.10', 80))] # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net. # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10 Note that *.m3047.net is wildcarded. # dig cname.test.m3047.net ; <<>> DiG 9.8.3-P1 <<>>
Re: Internal CNAME in RPZ
// Sorry for HTML embedded to my first email. Hello, I would like to set up RPZ with CNAME and A. There are two options: 1. cname.domain.comCNAME test.domain.com(without trailing dot) test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1 ... cname.domain.com. 5 IN CNAME test.domain.com.rpz. test.domain.com.rpz.3600IN A 10.10.10.10 ... So, it looks good, but RPZ name is visible, which is unwanted for me. 2. cname.domain.comCNAME test.domain.com. (with trailing dot) test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1 cname.domain.com. 5 IN CNAME test.domain.com. test.domain.com.531 IN A 66.96.162.92 (66.98.162.92 is real, «internet» address of test.domain.com) Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user? Best regards, Andrey Geyn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internal CNAME in RPZ
Hello, I would like to set up RPZ with CNAME and A. There are two options: 1.cname.domain.com CNAME test.domain.com (without trailing dot)test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1...cname.domain.com. 5 IN CNAME test.domain.com.rpz.test.domain.com.rpz. 3600 IN A 10.10.10.10... So, it looks good, but RPZ name is visible, which is unwanted for me. 2.cname.domain.com CNAME test.domain.com. (with trailing dot)test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1cname.domain.com. 5 IN CNAME test.domain.com.test.domain.com. 531 IN A 66.96.162.92 (66.98.162.92 is real, «internet» address of test.domain.com) Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user? Best regards,Andrey Geyn___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to configure minimal-responses option at zone level?
rams wrote: > How to configure "minimal-responses" option at zone level? You can only configure it per view or in the global options. The named.conf(5) man page lists all the options and where they can appear. It is generated from the configuration file parsing code so you can trust its correctness. Tony. -- f.anthony.n.finchhttp://dotat.at/ each generation is responsible for the fate of our planet ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to configure minimal-responses option at zone level?
Hi, Greetings ! How to configure "minimal-responses" option at zone level? At global level it is working fine. but looking help for zone level to configure. Can someone help me on this Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users