[RPZ] Fwd: strange result with rpz
Raymond Dijkxhoorn
raymond at prolocation.net
Fri Sep 16 21:24:30 UTC 2011
Hi!
>> response-policy { zone "rpz.zone";};
>
>> and this is the zone rpz.zone:
>
>> a.b.c.myzone.fr IN CNAME a.b.c.myzone.fr.
>
>> *.fr IN A 127.0.0.17
>
>> The problem is that my server answer a.b.c.myzone.fr but also answer all t=
>> he zone myzone.fr like www.myzone.fr , ftp.myzone.fr<ftp://ftp.myzone.fr>, =
>> ....why?
>
>
> If I understand that description and have not overlooked something,
> then I would predict that all requests with RD=1 for example.fr,
> ftp.example.myzone.fr, ftp.myzone.fr, myzone.fr and all other domains
> matching *.fr except a.b.c.myzone.fr are answered with 127.0.0.17.
>
> That is because the "*.fr IN A 127.0.0.17" policy in the rpz.zone
> file requires rewriting all answers to all requests for A RRs for any
> domain matching *.fr to 127.0.0.17. All valid answers including
> NXDOMAIN are rewritten. The a.b.c.myzone.fr policy record exempts
> only a.b.c.myzone.fr from rewriting.
>
> Evidently those are not the desired results. What was desired?
>
> The "*.fr IN A 127.0.0.17" policy record seems a little unusual.
I was thinking the exact same thing. The zone is setup like that so should
match *.fr and also the ones he tells there. So either i am missing the
point here?
Bye,
Raymond.
More information about the DNSfirewalls
mailing list