BIND on ipv6-only server. SERVFAIL problem
Hello, I have installed BIND on IPv6-only server with firewalled access to the internet (assume that access is allowed only to port 53 to forwarder). It works good, but sometimes BIND receive SERVFAIL response from forwarder (and we can see "remote server broken: returned SERVFAIL" in logs). But forwarder is not broken, some requests need to be processed as SERVFAIL (try for example). Okay, BIND thinks that forwarder is broken and starts recursion by itself. It makes requests to root NS-servers, NS-servers of zone etc... In our case BIND is not able to do these requests, because access to the «wild» internet is denied (moreover, if we will allow access, there is no IPv4 internet on the server, but many of NS-servers listen only IPv4 addresses, so it's not an option too). Is it any option which will allow us to proxy SERVFAIL (and other «bad» responses) from forwarder and not to try make recursive requests by itself)? Best,Andrey___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Thank you, Bob. Unfortunately, records are generated by my users, not by me, so I can't change them as I want. Thanks again for your time and detailed explanation. Andrey. 24.10.2019, 19:53, "Bob Harold" : > On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn wrote: >> Hi, Bob, thank you for response! >> >> What if I want to make following configuration (as an example): >> >> domain.com A 10.10.10.10 >> *.domain.com CNAME domain.com >> >> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's here. > > Sorry, that is not how RPZ was designed to work. > You can make the second one: > *.domain.com CNAME my10.realdomain.com. > Where there is a real domain (not the RPZ domain) with: > my10.realdomain.com. A 10.10.10.10 > > Or make them both "A" records. Or both CNAME. But one RPZ entry cannot > point to another. > Use scripts to automate the process, if you don't want to enter 10.10.10.10 > twice. > > p.s. The decision not to re-lookup the results of RPZ lookups is probably > for speed and to avoid loops. Trying to patch around that is not a good idea. > > -- > Bob Harold > >>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record >>> to 10.10.10.10. >> This sentence sounds like «CNAME are useless at all» :-). Do you want some >> domain to point to some address? The use an A record, not CNAME! >> >> Additionally, I already use patched version of BIND. Maybe it is possible to >> make some patch for allowing this behaivor? >> >> Andrey >> >> 24.10.2019, 18:06, "Bob Harold" : >>> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn wrote: >>>> Hello, I would like to set up RPZ with CNAME and A. There are two options: >>>> >>>> 1. >>>> cname.domain.com CNAME test.domain.com (without trailing dot) >>>> test.domain.com A 10.10.10.10 >>> >>> There is a misunderstanding here. You would never redirect a domain in RPZ >>> to another domain in RPZ. >>> Domains in RPZ must always be redirected to a real domain. You cannot >>> point it to the wrong place, and then expect it to be redirected again. It >>> does not work that way. >>> Those two RPZ entries are completely separate. >>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record >>> to 10.10.10.10. >>> Do you want cname.domain.com to point to some real domain name (probably a >>> name you control, like a walled garden, or error page)? Then CNAME to that >>> real name. >>> >>> -- >>> Bob Harold >>> >>>> In this case I receive >>>> >>>> # dig cname.domain.com @127.0.0.1 >>>> ... >>>> cname.domain.com. 5 IN CNAME test.domain.com.rpz. >>>> test.domain.com.rpz. 3600 IN A 10.10.10.10 >>>> ... >>>> >>>> So, it looks good, but RPZ name is visible, which is unwanted for me. >>>> >>>> 2. >>>> cname.domain.com CNAME test.domain.com. (with trailing dot) >>>> test.domain.com A 10.10.10.10 >>>> >>>> In this case I receive >>>> >>>> # dig cname.domain.com @127.0.0.1 >>>> cname.domain.com. 5 IN CNAME test.domain.com. >>>> test.domain.com. 531 IN A 66.96.162.92 >>>> >>>> (66.98.162.92 is real, «internet» address of test.domain.com) >>>> >>>> Is it possible to make configuration for internal CNAME's in RPZ in which >>>> RPZ name will be not visible to user? >>>> >>>> Best regards, >>>> Andrey Geyn >>>> ___ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>>> unsubscribe from this list >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Hi, Bob, thank you for response! What if I want to make following configuration (as an example): domain.com A 10.10.10.10*.domain.com CNAME domain.com I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's here. > Do you want cname.domain.com to point to 10.10.10.10? Then use an A record to 10.10.10.10.This sentence sounds like «CNAME are useless at all» :-). Do you want some domain to point to some address? The use an A record, not CNAME! Additionally, I already use patched version of BIND. Maybe it is possible to make some patch for allowing this behaivor? Andrey 24.10.2019, 18:06, "Bob Harold" : On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andg...@yandex-team.ru> wrote:Hello, I would like to set up RPZ with CNAME and A. There are two options: 1.cname.domain.com CNAME test.domain.com (without trailing dot)test.domain.com A 10.10.10.10 There is a misunderstanding here. You would never redirect a domain in RPZ to another domain in RPZ.Domains in RPZ must always be redirected to a real domain. You cannot point it to the wrong place, and then expect it to be redirected again. It does not work that way.Those two RPZ entries are completely separate.Do you want cname.domain.com to point to 10.10.10.10? Then use an A record to 10.10.10.10.Do you want cname.domain.com to point to some real domain name (probably a name you control, like a walled garden, or error page)? Then CNAME to that real name. -- Bob Harold In this case I receive # dig cname.domain.com @127.0.0.1...cname.domain.com. 5 IN CNAME test.domain.com.rpz.test.domain.com.rpz. 3600 IN A 10.10.10.10... So, it looks good, but RPZ name is visible, which is unwanted for me. 2.cname.domain.com CNAME test.domain.com. (with trailing dot)test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1cname.domain.com. 5 IN CNAME test.domain.com.test.domain.com. 531 IN A 66.96.162.92 (66.98.162.92 is real, «internet» address of test.domain.com) Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user? Best regards,Andrey Geyn___Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listbind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Hi, Fred!
Thank for your reply and tests.
The questions you ask are my questions too, just asked more professionally.
Thanks for it :)
Okay, let's use only variant with trailing dot, thank you for clarification.
I don't understand why your tests for "cname.example.com" and
"cname.test.m3047.net" differ
(first one returns only
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
second one returns two RRs:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200IN A 209.221.140.128)
In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf:
"""
options {
response-policy {zone "rpz"; };
}
zone "rpz" {
type master;
file "/etc/bind/rpz.zone";
};
"""
And rpz.zone:
"""
$TTL 1H
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
cname.domain.comCNAME test.domain.com.
test.domain.com A 10.10.10.10
"""
So I run "dig cname.domain.com @127.0.0.1" and result is
"""
...
;; QUESTION SECTION:
;cname.domain.com. IN A
;; ANSWER SECTION:
cname.domain.com. 5 IN CNAME test.domain.com.
test.domain.com.599 IN A 66.96.162.92
;; AUTHORITY SECTION:
. 5211IN NS c.root-servers.net.
. 5211IN NS e.root-servers.net.
. 5211IN NS k.root-servers.net.
. 5211IN NS l.root-servers.net.
. 5211IN NS g.root-servers.net.
. 5211IN NS d.root-servers.net.
. 5211IN NS i.root-servers.net.
. 5211IN NS a.root-servers.net.
. 5211IN NS b.root-servers.net.
. 5211IN NS m.root-servers.net.
. 5211IN NS f.root-servers.net.
. 5211IN NS h.root-servers.net.
. 5211IN NS j.root-servers.net.
...
"""
(as for you in second test).
And yes, resolving via RPZ suffix is working as well:
# dig cname.domain.com.rpz @127.0.0.1
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> cname.domain.com.rpz @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 33d9dfa596759fe554fb08f15db08b141f084f760f479882 (good)
;; QUESTION SECTION:
;cname.domain.com.rpz. IN A
;; ANSWER SECTION:
cname.domain.com.rpz. 3600IN CNAME test.domain.com.
test.domain.com.5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz.3600IN NS LOCALHOST.
Andrey
23.10.2019, 21:49, "m3047" :
> Hi, so Andrey,
>
> Your output doesn't reflect what I would expect to see from an
> RPZ-mediated query, but rather what I would expect to see if querying a
> zone, such as the RPZ itself, directly. So I am not sure I understand your
> question.
>
> To the broader ISC community: however, I'm confused by the response I'm
> getting. Oddly enough dig is giving me the unexpected results, and
> (Python) socket.getaddrinfo() does what I expect. It appears that CNAME
> resolution within RPZ is escaping...
>
> On Wed, 23 Oct 2019, Andrey Geyn wrote:
>
>> Date: Wed, 23 Oct 2019 19:34:39 +0500
>> From: Andrey Geyn
>> To: "bind-users@lists.isc.org"
>> Subject: Internal CNAME in RPZ
>>
>> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>>
>> 1.
>> cname.domain.com CNAME test.domain.com (without trailing dot)
>> test.domain.com A 10.10.10.10
>
> Trailing dot is needed.
>
>> 2.
>> cname.domain.com CNAME test.domain.com. (with trailing dot)
>> test.domain.com A 10.10.10.10
>
> Yes I believe this to be correct.
>
>> # dig cname.domain.com @127.0.0.1
>>
>> cname.domain.com. 5 IN CNAME test.domain.com.
>> test.domain.com. 531 IN A 66.96.162.92
>
> # net-dns.pl add rpz cname.example.com CNAME test.example.com.
> # net-dns.pl add rpz test.example.com A 10.10.10.10
>
> Here's the answer I didn't expect, from dig:
>
> # dig +short cname.example.com TEST.EXAMPLE.COM.
> # dig +short test.example.com 10.10.10.10
>
> It did not follow
Internal CNAME in RPZ
Hello, I would like to set up RPZ with CNAME and A. There are two options: 1.cname.domain.com CNAME test.domain.com (without trailing dot)test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1...cname.domain.com. 5 IN CNAME test.domain.com.rpz.test.domain.com.rpz. 3600 IN A 10.10.10.10... So, it looks good, but RPZ name is visible, which is unwanted for me. 2.cname.domain.com CNAME test.domain.com. (with trailing dot)test.domain.com A 10.10.10.10 In this case I receive # dig cname.domain.com @127.0.0.1cname.domain.com. 5 IN CNAME test.domain.com.test.domain.com. 531 IN A 66.96.162.92 (66.98.162.92 is real, «internet» address of test.domain.com) Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user? Best regards,Andrey Geyn___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
