MX, SPF and RPZ Re: DNS domain Pointing to a DSL U/verse host

m3047 m3047 at m3047.net
Fri Aug 16 17:23:49 UTC 2019


Hi Eduardo.

On Thu, 15 Aug 2019, Eduardo Bonsi wrote:
> First, thank you for taking the time to layout your views and suggestion!

;-)

>> NOTE: This is a perfect use case for off-label use of RPZ, you could
>> define your PTR record in an RPZ and you wouldn't need to take over the 
>> whole zone.
>
> Thank you for this suggestion! It would be great to have some examples, 
> if is not to ask you too much already!

Sure. 8-) Do you have waldo in your domain?

# dig waldo.bonsi.org

; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;waldo.bonsi.org.		IN	A

;; AUTHORITY SECTION:
bonsi.org.		300	IN	SOA 
ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 56 21600 
3600 259200 300

;; Query time: 540 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:52:54 2019
;; MSG SIZE  rcvd: 129

Let's fix that:

# net-dns.pl add white waldo.bonsi.org A 10.9.8.7

(That's a script which dynamically updates the zone whitelist.m3047.net, a 
local vanity domain.)

# dig waldo.bonsi.org.whitelist.m3047.net

; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org.whitelist.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42402
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;waldo.bonsi.org.whitelist.m3047.net. IN	A

;; ANSWER SECTION:
WALDO.BONSI.ORG.whitelist.m3047.net. 600 IN A	10.9.8.7

;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:55:41 2019
;; MSG SIZE  rcvd: 104

Let's make sure I didn't break your zone:

# dig www.bonsi.org

; <<>> DiG 9.8.3-P1 <<>> www.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.bonsi.org.			IN	A

;; ANSWER SECTION:
www.bonsi.org.		21600	IN	A	162.201.66.177

;; Query time: 126 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:56:49 2019
;; MSG SIZE  rcvd: 47

Looks good. Where's waldo?

# dig waldo.bonsi.org

; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16655
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;waldo.bonsi.org.		IN	A

;; ANSWER SECTION:
WALDO.BONSI.ORG.	5	IN	A	10.9.8.7

;; ADDITIONAL SECTION:
whitelist.m3047.net.	1	IN	SOA	DEV.NULL. M3047.M3047.NET. 
364 600 60 86400 600

;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:57:26 2019
;; MSG SIZE  rcvd: 142

You'll notice that the authority comes from whitelist.m3047.net, and that 
I didn't have to take over your entire zone in order to rewrite that 
particular FQDN. This does break DNSSEC.

How does this hang together in the BIND config?

# cat /etc/named.conf
...
options {
     ...
      // RPZs
      response-policy {
 	 zone "whitelist.m3047.net";
          zone "rpz1.m3047.net";
      };
     ...
};
...
zone "whitelist.m3047.net" {
      type master;
      check-names ignore;
      file "whitelist.m3047.net";
};
...

# rndc freeze whitelist.m3047.net
# rndc thaw whitelist.m3047.net
# cat whitelist.m3047.net
$ORIGIN .
$TTL 900	; 15 minutes
whitelist.m3047.net	IN SOA	DEV.NULL. M3047.M3047.NET. (
 				364        ; serial
 				600        ; refresh (10 minutes)
 				60         ; retry (1 minute)
 				86400      ; expire (1 day)
 				600        ; minimum (10 minutes)
 				)
 			NS	LOCALHOST.
...
$ORIGIN AP.ORG.whitelist.m3047.net.
*			CNAME	rpz-passthru.
$ORIGIN ORG.whitelist.m3047.net.
WALDO.BONSI		A	10.9.8.7
$ORIGIN CONSUMERREPORTSCDN.ORG.whitelist.m3047.net.
*			CNAME	rpz-passthru.
...

(RPZs have special semantics for actions like passthrough and NXDOMAIN.)

>> Fundamentally, you're not authoritative for the zone:
>
> I am totally aware about that! That would be more simple if I just go 
> ahead and order some static ips from AT&T ...and that would cost me an 
> arm and a leg and get done with it! Then, "probably" I would not > be 
> here asking this question at all.

We are referring to the in-addr.arpa zone, just to be clear. There is 
reverse for it, it's just provided by SW Bell. It's not pointing to an 
FQDN within your zone (bonsi.org). That could be seen as "spammy", but a 
lot of people outsource email these days. (It would be interesting to know 
just how "spammy" that is as a feature in reality and in perception.) Some 
people view anything with a reverse like that to be "customer prem" and 
therefore spammy. Regardless, they provide forward that matches the 
reverse:

# dig 162-201-66-177.lightspeed.sntcca.sbcglobal.net +short
162.201.66.177

Having an MTA for your zone which announces its name as something 
different than what it reverses to is widely considered spammy. You do 
control the domain bonsi.org however, and I don't see why you can't name 
162-201-66-177.lightspeed.sntcca.sbcglobal.net as your MX. Define SPF for 
good measure. If you've got the host named something else, you may have to 
take special measures configuring the MTA software so that it uses the 
sbcglobal.net FQDN in headers it generates.

> Yes, I am aware about that too! Even thou, I am not authoritative 
> according to the BIND rules, I do have authoritative control of the 
> zone bonsi.org at the registrar GoogleDomains.com.

bonsi.org is (ultimately) delegated from .org. 177.66.201.162.in-addr.arpa 
is delegated from .arpa. There is no explicit control between the two. An 
organization might be delegated control over the reverse for a block of 
addresses it is pointing into or it might not. According to whois:

66.201.162.in-addr.arpa: not delegated
201.162.in-addr.arpa: SBC Global / SW Bell
162.in-addr.arpa: ARIN

Google has no control at any level of the delegation chain.

> The only one with authority to reverse that ip is AT&T and as I mention 
> before, AT&T is not going to do that unless I pay them the extra, extra 
> bucks for static IPs.
> [...]
> I am aware of that! I just could ask AT&T to reverse the domain. I am 
> only running a catching namesever locally, (No recursion) and for that 
> I am only authoritative for the internal zones. Here, I can do >that 
> without having to request anybody ... :)
>
> [server:~] root# dig @127.0.0.1 -x 192.168.1.3
>
> ; <<>> DiG 9.10.6 <<>> @127.0.0.1 -x 192.168.1.3
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48149
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;3.1.168.192.in-addr.arpa.	IN	PTR
>
> ;; ANSWER SECTION:
> 3.1.168.192.in-addr.arpa. 3600	IN	PTR	bonsi.org.
>
> ;; AUTHORITY SECTION:
> 1.168.192.in-addr.arpa.	3600	IN	NS	ns1.bonsi.org.
> 1.168.192.in-addr.arpa.	3600	IN	NS	ns3.bonsi.org.
> 1.168.192.in-addr.arpa.	3600	IN	NS	ns2.bonsi.org.
>
> ;; ADDITIONAL SECTION:
> ns1.bonsi.org.		3600	IN	A	192.168.1.21
> ns2.bonsi.org.		3600	IN	A	192.168.1.31
> ns3.bonsi.org.		3600	IN	A	192.168.1.41
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Aug 15 14:27:33 PDT 2019
> ;; MSG SIZE  rcvd: 178

Yup.

--

Fred


More information about the bind-users mailing list