[DNSfirewalls] Effects of different kinds of records in an RPZ... I don't see anything abnormal
Fred Morris
m3047 at m3047.net
Wed Jul 3 19:46:20 UTC 2013
In case anyone is wondering, the notional concept here is to add TXT
records alongside other records in an RPZ for purposes of commentary; I
think the most robust implementation would put those in a separate
zone....
I don't see anything abnormal about the following, just checking in to see
if this raises anyone else's eyebrows or if the roadmap envisions changing
this behavior. To me, this seems like exactly the behavior I'd expect for
DNS resolution.
TXT record only:
* A query returns NOERROR, 0 answers.
* TXT query returns the RR.
TXT and A record:
* A query returns the A RR.
* TXT query returns the TXT RR.
Attempt to add a CNAME record:
* Rejected (ignored) by BIND.
Delete TXT and A records, and add a CNAME record, then attempt to re-add a
TXT or A record:
* Rejected (ignored) by BIND.
FWIW, this is BIND 9.9.2-P1. Actual DiG results are appended.
--
Fred Morris
--
m3047 at athena:~> net-dns.pl add rpz block-this.m3047.net TXT "This is some
text."
m3047 at athena:~> dig block-this.m3047.net
; <<>> DiG 9.9.2-P1 <<>> block-this.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40326
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;block-this.m3047.net. IN A
;; AUTHORITY SECTION:
rpz1.m3047.net. 600 IN SOA DEV.NULL. M3047.m3047.net.
64 600 60 86400 600
;; Query time: 100 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 3 11:42:43 2013
;; MSG SIZE rcvd: 104
m3047 at athena:~> dig block-this.m3047.net txt
; <<>> DiG 9.9.2-P1 <<>> block-this.m3047.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9521
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;block-this.m3047.net. IN TXT
;; ANSWER SECTION:
block-this.m3047.net. 5 IN TXT "THIS IS SOME TEXT."
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
LOCALHOST. 86400 IN A 127.0.0.1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 3 12:02:44 2013
;; MSG SIZE rcvd: 124
m3047 at athena:~> net-dns.pl add rpz block-this.m3047.net a 127.0.0.1
m3047 at athena:~> dig block-this.m3047.net
; <<>> DiG 9.9.2-P1 <<>> block-this.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46735
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;block-this.m3047.net. IN A
;; ANSWER SECTION:
block-this.m3047.net. 5 IN A 127.0.0.1
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
LOCALHOST. 86400 IN A 127.0.0.1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 3 12:03:23 2013
;; MSG SIZE rcvd: 109
m3047 at athena:~> dig block-this.m3047.net txt
; <<>> DiG 9.9.2-P1 <<>> block-this.m3047.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62082
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;block-this.m3047.net. IN TXT
;; ANSWER SECTION:
block-this.m3047.net. 5 IN TXT "THIS IS SOME TEXT."
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
LOCALHOST. 86400 IN A 127.0.0.1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 3 12:03:32 2013
;; MSG SIZE rcvd: 124
m3047 at athena:~> net-dns.pl add rpz block-this.m3047.net cname .
03-Jul-2013 12:03:44.685 update: info: client 10.0.0.220#1029: updating
zone 'rpz1.m3047.net/IN': attempt to add CNAME alongside non-CNAME ignored
m3047 at athena:~> net-dns.pl del rpz block-this.m3047.net
03-Jul-2013 12:04:49.551 update: info: client 10.0.0.220#1029: updating
zone 'rpz1.m3047.net/IN': delete all rrsets from name
'BLOCK-THIS.M3047.NET.rpz1.m3047.net'
m3047 at athena:~> net-dns.pl add rpz block-this.m3047.net cname .
03-Jul-2013 12:04:52.835 update: info: client 10.0.0.220#1029: updating
zone 'rpz1.m3047.net/IN': adding an RR at
'BLOCK-THIS.M3047.NET.rpz1.m3047.net' CNAME
m3047 at athena:~> net-dns.pl add rpz block-this.m3047.net TXT "This is some
text."
03-Jul-2013 12:05:04.137 update: info: client 10.0.0.220#1029: updating
zone 'rpz1.m3047.net/IN': attempt to add non-CNAME alongside CNAME ignored
More information about the DNSfirewalls
mailing list