[DNSfirewalls] help
Fred Morris
m3047 at m3047.net
Wed Sep 11 03:50:16 UTC 2013
On Tue, 10 Sep 2013, Khadijeh Shahsavand wrote:
> please explain ** YOU WANT THE RESPONSE TO BE NO ANSWER ** completely
> and say me about step by step to arrive this goal?
"CNAME ." is a special exception rule. In other cases, the RPZ is scanned
for FQDN matches prior to the regular cache/resolution processing and
therefore other kinds of records behave as would be expected if they
occurred in a "regular" zone. I don't know if this is defined behavior,
but it certainly occurs. (Try an ANY query, you will see that with the
"CNAME ." idiom you get NXDOMAIN, but with regular RRs defined in the RPZ,
it behaves as is expected for an ANY query.)
** INITIAL STATE. NO ENTRY EXISTS IN RPZ FOR NONEXISTENT NAME Note the SOA
record. **
m3047 at athena:~> dig test.m3047
; <<>> DiG 9.9.2-P1 <<>> test.m3047
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51191
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.m3047. IN A
;; AUTHORITY SECTION:
m3047. 600 IN SOA ATHENA.m3047.
M3047.M3047.NET. 120417023 600 60 86400 600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 10 12:22:18 2013
;; MSG SIZE rcvd: 97
** RPZ ENTRY IS ADDED FORCING NXDOMAIN RESPONSE Note that the SOA record
reflects the RPZ as the authority now. **
m3047 at athena:~> net-dns.pl add rpz test.m3047 CNAME .
TEST.M3047.rpz1.m3047.net. 600 IN CNAME ; no data
m3047 at athena:~> dig test.m3047
; <<>> DiG 9.9.2-P1 <<>> test.m3047
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4014
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.m3047. IN A
;; AUTHORITY SECTION:
rpz1.m3047.net. 600 IN SOA DEV.NULL. M3047.m3047.net.
79 600 60 86400 600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 10 12:22:49 2013
;; MSG SIZE rcvd: 103
** PREVIOUS CNAME RECORD IS REPLACED WITH A TXT RECORD A "soft NX" occurs,
however the RPZ is still the authority. The default (and most common) DNA
query is for A record types. **
m3047 at athena:~> net-dns.pl del rpz test.m3047
m3047 at athena:~> net-dns.pl add rpz test.m3047 TXT "No A record exists for
this."
TEST.M3047.rpz1.m3047.net. 600 IN TXT "NO A RECORD
EXISTS FOR THIS."
m3047 at athena:~> dig test.m3047
; <<>> DiG 9.9.2-P1 <<>> test.m3047
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31719
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.m3047. IN A
;; AUTHORITY SECTION:
rpz1.m3047.net. 600 IN SOA DEV.NULL. M3047.m3047.net.
81 600 60 86400 600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 10 12:23:24 2013
;; MSG SIZE rcvd: 103
--
Fred Morris
Internet Plumber, Tacoma WA USA
More information about the DNSfirewalls
mailing list