Saurabh: Not getting the answer with AAAA record. Error FORMERR resolving 'gim8.pl/AAAA/IN comes.
cathya at isc.org
Mon Jun 4 08:10:02 UTC 2018
On 22/05/2018 15:58, Tony Finch wrote:
> Saurabh Srivastava <jp.saurabh at gmail.com> wrote:
>> I have faced an issue on my RPZ Server.
>> I have added the A record Entry & AAAA record entry for some domains.
>> The RPZ Policy is running fine.
>> But the werired response that i am getting with few domains are that when I
>> have quered the A record for that domain, the answer is OK.
>> When I have quered for AAAA record, it is not given the answer.
>> May 22 17:24:13 RPZ named: FORMERR resolving 'gim8.pl/AAAA/IN': 220.127.116.11#53
> RPZ is a bit weird because it performs the query as usual, then applies
> its rewrite rules. In this case, the original query fails, so there isn't
> an AAAA in the answer to rewrite.
> You can set the `qname-wait-recurse` option, so that RPZ will skip
> recursion when it is able to rewrite a response based only on the query.
> You might also want to set `break-dnssec` to make it ignore the DO bit.
> If you are using `qname-wait-recurse`, you need to be careful about the
> order of the policy zones listed in your RPZ clause so that it works as
> expected: you should keep qname and client-ip triggers in separate zones,
> and list those zones first - other RPZ rewrite rules force recursion to
> The manual says the reason for this weird behaviour is: "not resolving the
> requested name can leak the fact that response policy rewriting is in use
> and that the name is listed in a policy zone to operators of servers for
> listed names." If you are worried about that, it implies that (sadly) you
> have an adversarial relationship with your users, since they are the only
> people who can observe this information leak.
> In my opinion your users should be able to trust you, so you should be
> up-front about DNS rewriting, and you should explain to your users clearly
> what your rewrite policy is. And if you have documented your policy,
> there's no information leak because the information is in the documentation.
My understanding of why RPZ by default queries for names that it's going
to rewrite anyway, is that the lack of regular queries to the
authoritative servers alerts the zone owners (who we assume are
malicious or similar) to the fact that their zone is being blocked and
queries for it are being rewritten - thus encouraging them to move
sooner rather than later to a new name/zone.
More information about the bind-users