Need help on RPZ sever, bit urgent
Blason R
blason16 at gmail.com
Fri Aug 10 03:40:09 UTC 2018
Hi there,
Where it should appear? ARM says it should appear inl Global-section of
response-policy which I tried but getting error.
response-policy {zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block";
};
qname-wait-recurse no;
break-dnssec no;
On Fri, Aug 10, 2018 at 8:09 AM Blason R <blason16 at gmail.com> wrote:
> Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall
> gardened. And in my scenario users are talking to windows based AD/DNS
> server and then that server has forwarder set to RPZ.
>
>
> 1. First issue; I observed certain entries from BIND/RPZ zone are
> being resolved by windows server directly to their original IPs and not the
> wall-gardened IP. Where I believe once the forwarder is set all those
> queries should have been routed to RPZ server? [If anyone here having
> Windows DNS expertise, pls help]
> 2. And another, certain RPZ queries if queried through AD/DNS server
> are not at all getting resolved. When I captured packets on BIND/RPZ server
> I see that those domains are getting NXdomain by RPZ and not sure why.
>
> Thanks and Regards,
> Lionel F
>
> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <rharolde at umich.edu> wrote:
>
>>
>> On Thu, Aug 9, 2018 at 9:31 AM Blason R <blason16 at gmail.com> wrote:
>>
>>> For example this one.
>>>
>>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
>>> 0351dag.com. (29)
>>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain
>>> 0/1/0 (102)
>>>
>>
>> With RPZ, the name is looked up normally first, and only if there is an
>> answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that
>> and does not use RPZ.
>> If that is not what you want, then you probably want to set the option:
>> qname-wait-recurse no;
>>
>> --
>> Bob Harold
>>
>>
>>
>>
>>>
>>> On Thu, Aug 9, 2018 at 6:59 PM Blason R <blason16 at gmail.com> wrote:
>>>
>>>> Hi Bind-Users,
>>>>
>>>> I would really appreciate if someone can help me understanding my issue
>>>> with BIND RPZ server?
>>>>
>>>> I have one windows server say 192.168.1.42 and then RPZ server with
>>>> 192.168.1.179. I noticed that there are certain domains which are not
>>>> getting resolved from end users.
>>>>
>>>> Ideally since those end user has 192.168.1.42 DNS Server set and has
>>>> forwarder set to 192.168.1.179 should forward all queries to 1.179, right?
>>>>
>>>> But certain domains from my response-policy are even though
>>>> wall-gardened those are being catered as NXdomain.
>>>>
>>>> Anything I am missing pertaining to RPZ?
>>>>
>>>> Or if I am querying all those domains directly to RPZ server then I am
>>>> getting proper answer. This issue is noticed when I have forwarder server
>>>> is between
>>>>
>>>> options {
>>>> version "test";
>>>> allow-query { localhost;subnets; };
>>>> directory "/var/cache/bind";
>>>> recursion yes;
>>>> querylog yes;
>>>> forwarders {
>>>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
>>>> };
>>>> // dnssec-validation auto;
>>>> request-ixfr yes;
>>>> auth-nxdomain no; # conform to RFC1035
>>>> // listen-on-v6 { any; };
>>>> listen-on port 53 { any; };
>>>> listen-on port 15455 {any;};
>>>> response-policy { zone "whitelist.allow" policy passthru;
>>>> zone "wg.block";
>>>> zone "bad.trap";
>>>> zone "block.tld";
>>>> zone "ransomwareips.block"; };
>>>> };
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180810/5253515d/attachment.html>
More information about the bind-users
mailing list