I enabled debug and query logs for BIND and no, it's not look like caching
problems...
Do you have any idea how to force BIND look for CNAMEd name in RPZ?
I tried to analyze source codes, and it seems that this line prohibits to apply
policy on the second iteration:
https://gitlab.isc.org/isc-projects/bind9/blob/master/lib%2Fns%2Fquery.c#L3918
Because in this moment st->state & DNS_RPZ_REWRITTEN == 1, query _has been
already rewritten_ by RPZ.
Unfortunately commenting out this line leads to assertion failed later, in
query_addrdataset() :)
Andrey
24.10.2019, 02:00, "m3047" :
> Hello...
>
> On Wed, 23 Oct 2019, Andrey Geyn wrote:
>> [...]
>> I don't understand why your tests for "cname.example.com" and
>> "cname.test.m3047.net" differ
>> (first one returns only
>> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>
> I didn't understand this as well. Is it something about caching perhaps? I
> thought perhaps example.com, being well-known, was somehow confounding the
> results.
>
>> second one returns two RRs:
>> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
>> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128)
>
> Notwithstanding that this is WRONG, because actual.test.m3047.net is in
> the RPZ, it did try to follow the CNAME chain it just failed to apply the
> policy to the A record. However querying the RPZ explicitly:
>
> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>
> would /appear/ to be retrieving the result for the CNAME from the RPZ as a
> regular zone not a policy zone, as intended, but then subjects the A
> record to the RPZ policy!
>
>> 23.10.2019, 21:49, "m3047" :
>>> [...]
>>> # dig cname.example.com
>>>
>>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>> ;; QUESTION SECTION:
>>> ;cname.example.com. IN A
>>>
>>> ;; ANSWER SECTION:
>>> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>>>
>>> ;; AUTHORITY SECTION:
>>> EXAMPLE.COM. 3600 IN SOA ns.icann.org.
>>> noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
>>>
>>> ;; ADDITIONAL SECTION:
>>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>> 260 600 60 86400 600
>>>
>>> ;; Query time: 1142 msec
>>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>> ;; WHEN: Wed Oct 23 09:03:34 2019
>>> ;; MSG SIZE rcvd: 209
>>>
>>> # dig test.example.com
>>>
>>> ; <<>> DiG 9.8.3-P1 <<>> test.example.com
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>> ;; QUESTION SECTION:
>>> ;test.example.com. IN A
>>>
>>> ;; ANSWER SECTION:
>>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>>
>>> ;; AUTHORITY SECTION:
>>> rpz1.m3047.net. 900 IN NS LOCALHOST.
>>>
>>> ;; ADDITIONAL SECTION:
>>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>> 260 600 60 86400 600
>>>
>>> ;; Query time: 10 msec
>>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>> ;; WHEN: Wed Oct 23 09:04:38 2019
>>> ;; MSG SIZE rcvd: 162
>>>
>>> # dig cname.example.com.rpz1.m3047.net
>>>
>>> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>> ;; QUESTION SECTION:
>>> ;cname.example.com.rpz1.m3047.net. IN A
>>>
>>> ;; ANSWER SECTION:
>>> CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
>>> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>>>
>>> ;; AUTHORITY SECTION:
>>> rpz1.m3047.net. 900 IN NS LOCALHOST.
>>>
>>> ;; ADDITIONAL SECTION:
>>> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
>>> 260 600 60 86400 600
>>>
>>> ;; Query time: 8 msec
>>> ;; SERVER: 10.0.0.220#53(10.0.0.220)
>>> ;; WHEN: Wed Oct 23 09:07:46 2019
>>> ;; MSG SIZE rcvd: 224
>>>
>>> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
>>> [Clang 6.0 (clang-600.0.57)] on darwin
>>> Type "help", "copyright", "credits" or "license" for more information.
>> from socket import getaddrinfo
>> getaddrinfo('cname.example.com',80)
>>>
>>> [(, , 17, '',
>>> ('10.10.10.10', 80)), (,
>>> , 6, '', ('10.10.10.10', 80))]
>>>
>>> # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
>>> # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
>>>
>>> Note that *.m3047.net is wildcarded.
>>>
>>> # dig cname.test.m3047.net
>>>
>>> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>>>
>>> ;; QUESTION SECTION:
>>> ;cname.test.m3047.net. IN A
>>>
>>> ;; ANSWER SECTION: