Facing weird issue with DNS-RPZ
Bob Harold
rharolde at umich.edu
Tue Apr 24 18:06:37 UTC 2018
On Tue, Apr 24, 2018 at 8:33 AM, Blason R <blason16 at gmail.com> wrote:
> Resending since it seems it has few malicious domains
> ---------- Forwarded message ----------
> From: Blason R <blason16 at gmail.com>
> Date: Tue, Apr 24, 2018 at 6:02 PM
> Subject: Facing weird issue with DNS-RPZ
> To: bind-users <bind-users at lists.isc.org>
>
>
> Hello All,
>
> I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2
> (Extended Support Version).
>
> When I am manually creating writing a policy it works fine for CNAME while
> I have around 10k domains which needs to be wall-gardened but somehow as
> soon as I write simple while loop and entered in a .db file it stops RPZ
> functionality infact stops wall gardening instead it shows the real time.
>
> here is my zone config
>
> ###############
>
> recursion yes;
> forwarders {1.1.1.1; 8.8.8.8; 9.9.9.9; };
> querylog yes;
> response-policy { zone "isnlab.in"; };
> check-names master ignore;
> check-names slave ignore;
>
> ###############
>
> zone "isnlab.in" IN {
> type master;
> file "/var/named/firewall.local.db";
> };
>
>
> ******************
> $TTL 180
> @ IN SOA ns1.isnlab.in. ns1.isnlab.in. (
> 2006060301 ; Serial
> 21600 ; Refresh
> 3600 ; Retry
> 604800 ; Expire
> 3600 ) ; Minimum TTL
>
> IN NS ns1.isnlab.in.
> ns1.isnlab.in. IN A 172.16.3.46
> wg.isnlab.in. IN A 172.16.3.46
> *.facebook.com CNAME wg.isnlab.in.
> facebook.com CNAME wg.isnlab.in.
> testing.com CNAME wg.isnlab.in.
> *.testing.com CNAME wg.isnlab.in.
> 000cas.info CNAME wg.isnlab.in.
> 000dfcc96tkpc.com CNAME wg.isnlab.in.
>
> As soon as I add up the zones using below funcitonality it stops
> wallgardening and starts giving me real IPs
>
> This is before
> *$ dig @172.16.3.46 <http://172.16.3.46> facebook.com
> <http://facebook.com>*
>
> ; <<>> DiG 9.11.0-P5 <<>> @172.16.3.46 facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;facebook.com. IN A
>
> *;; ANSWER SECTION:*
> *facebook.com <http://facebook.com>. 5 IN CNAME
> wg.isnlab.in <http://wg.isnlab.in>.*
> *wg.isnlab.in <http://wg.isnlab.in>. 180 IN A
> 172.16.3.46*
>
> *;; AUTHORITY SECTION:*
> *isnlab.in <http://isnlab.in>. 180 IN NS
> ns1.isnlab.in <http://ns1.isnlab.in>.*
>
>
> ****************
> cat /tmp/sinkhole.zones | awk '{print $2}' | sed -e 's/\"//g' | while read
> line;do echo -e $line' \t ' CNAME' \t ' wg.isnlab.in.;done >>
> /var/named/firewall.local.db
>
> After this
> *$ dig @172.16.3.46 <http://172.16.3.46> facebook.com
> <http://facebook.com>*
>
> ; <<>> DiG 9.11.0-P5 <<>> @172.16.3.46 facebook.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32058
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;facebook.com. IN A
>
> ;; ANSWER SECTION:
> *facebook.com <http://facebook.com>. 225 IN A
> 157.240.13.35*
>
> ;; AUTHORITY SECTION:
> . 2972 IN NS m.root-servers.net.
> . 2972 IN NS a.root-servers.net.
> . 2972 IN NS h.root-servers.net.
> . 2972 IN NS j.root-servers.net.
> . 2972 IN NS c.root-servers.net.
> . 2972 IN NS i.root-servers.net.
> . 2972 IN NS b.root-servers.net.
> . 2972 IN NS g.root-servers.net.
> . 2972 IN NS e.root-servers.net.
> . 2972 IN NS k.root-servers.net.
> . 2972 IN NS f.root-servers.net.
> . 2972 IN NS d.root-servers.net.
> . 2972 IN NS l.root-servers.net.
>
> ;; Query time: 128 msec
>
>
> Any clue why this is happening?
>
Check the logs for an error message saying that the zone failed to load,
and which line # had the error.
Also try this:
cat /tmp/sinkhole.zones | awk '{print $2}' | sed -e 's/\"//g' | egrep -v
'^[-0-9a-zA-Z.]*$'
There might be names that don't fit that pattern that are still ok, but it
is a start.
If not, then edit the zone and delete the last half of the lines, reload,
if it fails delete half of the remaining names, etc, until you find it by
binary search.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180424/8ec44678/attachment-0001.html>
More information about the bind-users
mailing list