RPZ Question

Bob McDonald bmcdonaldjr at gmail.com
Thu Apr 16 17:26:41 UTC 2015 

I'm using RPZ to return "fake" addresses for hosts. Although it seems to
work well for A records, I'm questioning the way it processes CNAME records.

Shown below is the output from DIG. Both records are in RPZ. However,
you'll notice that the first DIG returns a NXDOMAIN response.  The CNAME
target is also in RPZ (As shown in the second DIG)

Is this normal behaviour?

I'd also like to know if it's possible to generate "fake" resposes for MX,
NS, and/or SRV records.

Regards,

Bob

operator at sapphire-x5-agent:/home/operator >/opt/incontrol/dns/bin/dig @
127.0.0.1 www.arqiva.com.

; <<>> DiG 9.9.6-P2 <<>> @127.0.0.1 www.arqiva.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64951
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.arqiva.com.                        IN      A

;; ANSWER SECTION:
www.arqiva.com.         28800   IN      CNAME   www.arqiva-integration.com.

;; AUTHORITY SECTION:
com.                    361     IN      SOA     a.gtld-servers.net.
nstld.verisign-grs.com. 1429203602 1800 900 604800 86400

;; Query time: 90 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 16 13:09:19 EDT 2015
;; MSG SIZE  rcvd: 153

operator at sapphire-x5-agent:/home/operator >/opt/incontrol/dns/bin/dig @
127.0.0.1 www.arqiva-integration.com.

; <<>> DiG 9.9.6-P2 <<>> @127.0.0.1 www.arqiva-integration.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 506
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.arqiva-integration.com.    IN      A

;; ANSWER SECTION:
www.arqiva-integration.com. 28800 IN    A       83.138.41.100

;; AUTHORITY SECTION:
rpz-zone02.             28800   IN      NS      sapphire-agent-00.pcn.local.
rpz-zone02.             28800   IN      NS      sapphire-x5-agent.pcn.local.

;; Query time: 87 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 16 13:16:50 EDT 2015
;; MSG SIZE  rcvd: 154
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150416/81bc1a1e/attachment.html>

More information about the bind-users mailing list