RPZ and forward zone trouble

Lee ler762 at gmail.com
Mon Mar 25 21:37:45 UTC 2019 

On 3/25/19, Miguel Mucio Santos Moreira wrote:
>
> Hello everybody!

Hi!

> I have a problem with DNS-RPZ and forward zone working together.
> I've created a rpz zone with the following trigger on my recursive DNS
> Server:
> 18.0.0.198.200.rpz-nsip IN CNAME rpz-passthru.

Which means anybody can answer with a 200.198.0.0/18 address and it
will be accepted.  .. probably not what you want.

> It means any query response comming from a DNS Server which IP address
> matching with the any IP address at entire CIDR block 200.198.0.0/18 will be
> answered with rpz-passthru
> It works perfectly for any domain hosted in my Authoritative DNS Servers.
> But when I apply on my recursive RPZ DNS Server a forward zone for those
> domains hosted on my Authoritative DNS Servers the problems appear and it is
> very weird.
>
> I have a mg.gov.br domain

I'd go with

mg.gov.br  IN CNAME  rpz-passthru.
  -- it's your domain so hopefully you can trust whatever answers it gives
18.0.0.198.200.rpz-nsip IN CNAME  .
  -- nobody else gets to answer with your address space

Regards,
Lee

> and its NS Servers are zeus.prodemge.gov.br
> (200.198.5.13), titanio.prodemge.gov.br (200.198.5.5), tupan.prodemge.gov.br
> (200.198.4.4) and jupiter.prodemge.gov.br (200.198.5.2).
> If I perform a dig at my workstation using Recursive DNS with RPZ looking
> for any record in mg.gov.br domain, rpz-passthru policy is not applied,
> however if I perform a dig looking for any record in prodemge.gov.br domain
> and after that I perform the same dig before it works properly.
>
>
> Note: Recursive DNS Servers and Authoritative DNS Servers are not the same.
>
> As workaround solution I applied 4 rpz-nsdname triggers above that one
> mentioned in the begining this email with my authoritative name servers with
> rpz-passthru policy.
> titanio.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
> jupiter.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
> tupan.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
> zeus.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru.
>
> I would like to understand why it didn't work without workaround solution,
> anyone has any idea about it?
>
> Thanks in advance
> --
>
> Miguel Moreira
> Gerente
> DPR/SRE/GSR - Gerência de Serviços de Rede
> +55(31)3339-1401
> PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais
>
>
> Aviso: Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é
> dirigida, podendo conter informação sigilosa e legalmente protegida. O uso
> impróprio será tratado conforme as normas da empresa e a legislação em
> vigor. Caso não seja o destinatário, favor notificar o remetente, ficando
> proibidas a utilização, divulgação, cópia e distribuição.
>

More information about the bind-users mailing list