[RPZ] Fwd: strange result with rpz
Vernon Schryver
vjs at rhyolite.com
Fri Sep 16 21:16:40 UTC 2011
> From: <iharrathi.ext at orange-ftgroup.com>
> Hi i implement a dns recursive server that only answer a.b.c.myzone.fr so f=
> or this i do this:
> in named.conf:
> response-policy { zone "rpz.zone";};
> and this is the zone rpz.zone:
> a.b.c.myzone.fr IN CNAME a.b.c.myzone.fr.
> *.fr IN A 127.0.0.17
> The problem is that my server answer a.b.c.myzone.fr but also answer all t=
> he zone myzone.fr like www.myzone.fr , ftp.myzone.fr<ftp://ftp.myzone.fr>, =
> ....why?
If I understand that description and have not overlooked something,
then I would predict that all requests with RD=1 for example.fr,
ftp.example.myzone.fr, ftp.myzone.fr, myzone.fr and all other domains
matching *.fr except a.b.c.myzone.fr are answered with 127.0.0.17.
That is because the "*.fr IN A 127.0.0.17" policy in the rpz.zone
file requires rewriting all answers to all requests for A RRs for any
domain matching *.fr to 127.0.0.17. All valid answers including
NXDOMAIN are rewritten. The a.b.c.myzone.fr policy record exempts
only a.b.c.myzone.fr from rewriting.
Evidently those are not the desired results. What was desired?
The "*.fr IN A 127.0.0.17" policy record seems a little unusual.
Vernon Schryver vjs at rhyolite.com
P.S. See https://lists.isc.org/mailman/listinfo/dnsrpz-interest to
subscribe to the ISC dnsrpz-interest mailing list.
More information about the DNSfirewalls
mailing list