[DNSfirewalls] Cache answers with TTL 0 for ANY queries if RPZ enabled

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Oct 31 13:42:23 UTC 2013 

Hi

If I have RPZ enabled on a BIND 9.9.4 cache server, the cache server
mostly answers with a TTL of 0 in the answer section. I say mostly
because when repeating the query several times with "+norec" I sometimes
get the expected result with the "normal" RR TTLs.

Is this a feature or a bug?

The RPZ configuration is:
        // RPZ
	response-policy { zone "rpz-test" policy disabled; };

Dig sample output using 'dig google.ch ANY'

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3303
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.ch.			IN	ANY

;; ANSWER SECTION:
google.ch.		0	IN	SOA	ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch.		0	IN	TXT	"v=spf1 -all"
google.ch.		0	IN	MX	10 aspmx.l.google.com.
google.ch.		0	IN	MX	40 alt3.aspmx.l.google.com.
google.ch.		0	IN	MX	50 alt4.aspmx.l.google.com.
google.ch.		0	IN	MX	20 alt1.aspmx.l.google.com.
google.ch.		0	IN	MX	30 alt2.aspmx.l.google.com.
google.ch.		0	IN	AAAA	2a00:1450:400a:806::1018
google.ch.		0	IN	A	173.194.116.55
google.ch.		0	IN	A	173.194.116.63
google.ch.		0	IN	A	173.194.116.56
google.ch.		0	IN	NS	ns4.google.com.
google.ch.		0	IN	NS	ns1.google.com.
google.ch.		0	IN	NS	ns2.google.com.
google.ch.		0	IN	NS	ns3.google.com.

;; AUTHORITY SECTION:
google.ch.		3598	IN	NS	ns1.google.com.
google.ch.		3598	IN	NS	ns2.google.com.
google.ch.		3598	IN	NS	ns3.google.com.
google.ch.		3598	IN	NS	ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172798	IN	A	216.239.32.10
ns2.google.com.		172798	IN	A	216.239.34.10
ns3.google.com.		172798	IN	A	216.239.36.10
ns4.google.com.		172798	IN	A	216.239.38.10


Occasionally, I get the TTL values when using +norec:
Dig sample output using 'dig google.ch ANY +norec'

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36418
;; flags: qr ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.ch.			IN	ANY

;; ANSWER SECTION:
google.ch.		1	IN	SOA	ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch.		241	IN	TXT	"v=spf1 -all"
google.ch.		541	IN	MX	20 alt1.aspmx.l.google.com.
google.ch.		541	IN	MX	40 alt3.aspmx.l.google.com.
google.ch.		541	IN	MX	10 aspmx.l.google.com.
google.ch.		541	IN	MX	30 alt2.aspmx.l.google.com.
google.ch.		541	IN	MX	50 alt4.aspmx.l.google.com.
google.ch.		241	IN	AAAA	2a00:1450:400a:806::1018
google.ch.		241	IN	A	173.194.116.55
google.ch.		241	IN	A	173.194.116.63
google.ch.		241	IN	A	173.194.116.56
google.ch.		3541	IN	NS	ns3.google.com.
google.ch.		3541	IN	NS	ns2.google.com.
google.ch.		3541	IN	NS	ns1.google.com.
google.ch.		3541	IN	NS	ns4.google.com.

;; AUTHORITY SECTION:
google.ch.		3541	IN	NS	ns4.google.com.
google.ch.		3541	IN	NS	ns2.google.com.
google.ch.		3541	IN	NS	ns3.google.com.
google.ch.		3541	IN	NS	ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172741	IN	A	216.239.32.10
ns2.google.com.		172741	IN	A	216.239.34.10
ns3.google.com.		172741	IN	A	216.239.36.10
ns4.google.com.		172741	IN	A	216.239.38.10


Daniel

-- 
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, http://www.switch.ch

http://www.switch.ch/socialmedia

More information about the DNSfirewalls mailing list