Internal CNAME in RPZ

Andrey Geyn andgein at yandex-team.ru
Wed Oct 23 17:21:08 UTC 2019


Hi, Fred!

Thank for your reply and tests. 
The questions you ask are my questions too, just asked more professionally. Thanks for it :)

Okay, let's use only variant with trailing dot, thank you for clarification.

I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ
(first one returns only 
CNAME.EXAMPLE.COM.	5	IN	CNAME	TEST.EXAMPLE.COM.
second one returns two RRs:
CNAME.TEST.M3047.NET.	5	IN	CNAME	ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.	7200	IN	A	209.221.140.128)

In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf:
"""
options {
        response-policy {zone "rpz"; };
}
zone "rpz" {
        type master;
        file "/etc/bind/rpz.zone";
};
"""

And rpz.zone:
"""
$TTL 1H
@                  SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
                   NS  LOCALHOST.

cname.domain.com        CNAME   test.domain.com.
test.domain.com         A       10.10.10.10
"""

So I run "dig cname.domain.com @127.0.0.1" and result is 
"""
...
;; QUESTION SECTION:
;cname.domain.com.              IN      A

;; ANSWER SECTION:
cname.domain.com.       5       IN      CNAME   test.domain.com.
test.domain.com.        599     IN      A       66.96.162.92

;; AUTHORITY SECTION:
.                       5211    IN      NS      c.root-servers.net.
.                       5211    IN      NS      e.root-servers.net.
.                       5211    IN      NS      k.root-servers.net.
.                       5211    IN      NS      l.root-servers.net.
.                       5211    IN      NS      g.root-servers.net.
.                       5211    IN      NS      d.root-servers.net.
.                       5211    IN      NS      i.root-servers.net.
.                       5211    IN      NS      a.root-servers.net.
.                       5211    IN      NS      b.root-servers.net.
.                       5211    IN      NS      m.root-servers.net.
.                       5211    IN      NS      f.root-servers.net.
.                       5211    IN      NS      h.root-servers.net.
.                       5211    IN      NS      j.root-servers.net.
...
"""

(as for you in second test).

And yes, resolving via RPZ suffix is working as well:

# dig cname.domain.com.rpz @127.0.0.1

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> cname.domain.com.rpz @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 33d9dfa596759fe554fb08f15db08b141f084f760f479882 (good)
;; QUESTION SECTION:
;cname.domain.com.rpz.          IN      A

;; ANSWER SECTION:
cname.domain.com.rpz.   3600    IN      CNAME   test.domain.com.
test.domain.com.        5       IN      A       10.10.10.10

;; AUTHORITY SECTION:
rpz.                    3600    IN      NS      LOCALHOST.



Andrey 


23.10.2019, 21:49, "m3047" <m3047 at m3047.net>:
> Hi, so Andrey,
>
> Your output doesn't reflect what I would expect to see from an
> RPZ-mediated query, but rather what I would expect to see if querying a
> zone, such as the RPZ itself, directly. So I am not sure I understand your
> question.
>
> To the broader ISC community: however, I'm confused by the response I'm
> getting. Oddly enough dig is giving me the unexpected results, and
> (Python) socket.getaddrinfo() does what I expect. It appears that CNAME
> resolution within RPZ is escaping...
>
> On Wed, 23 Oct 2019, Andrey Geyn wrote:
>
>>  Date: Wed, 23 Oct 2019 19:34:39 +0500
>>  From: Andrey Geyn <andgein at yandex-team.ru>
>>  To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>>  Subject: Internal CNAME in RPZ
>>
>>  Hello, I would like to set up RPZ with CNAME and A. There are two options:
>>
>>  1.
>>  cname.domain.com        CNAME   test.domain.com    (without trailing dot)
>>  test.domain.com         A       10.10.10.10
>
> Trailing dot is needed.
>
>>  2.
>>  cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
>>  test.domain.com         A       10.10.10.10
>
> Yes I believe this to be correct.
>
>>  # dig cname.domain.com @127.0.0.1
>>
>>  cname.domain.com.       5       IN      CNAME   test.domain.com.
>>  test.domain.com.        531     IN      A       66.96.162.92
>
> # net-dns.pl add rpz cname.example.com CNAME test.example.com.
> # net-dns.pl add rpz test.example.com A 10.10.10.10
>
> Here's the answer I didn't expect, from dig:
>
> # dig +short cname.example.com TEST.EXAMPLE.COM.
> # dig +short test.example.com 10.10.10.10
>
> It did not follow the CNAME chain. Here's what I expected, from
> getaddrinfo():
>
>>>>  from socket import getaddrinfo
>>>>  getaddrinfo('cname.example.com',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> All the rest of the queries follow. The recursive resolver (at 10.0.0.220)
> is running 9.12.3-p1. I tested with versions of dig up to and including
> 9.12.3-p1
>
> Notice that in the very first test below the AUTHORITY refers to
> icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated
> with a different domain with the rationale that example.com was
> confounding results, and got something similar.
>
> Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net
> does the reverse, looking up actual.test.m3047.net from the RPZ instead of
> the real world.
>
> --
>
> Fred Morris
>
> --
>
> # dig cname.example.com
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.example.com. IN A
>
> ;; ANSWER SECTION:
> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>
> ;; AUTHORITY SECTION:
> EXAMPLE.COM. 3600 IN SOA ns.icann.org.
> noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 1142 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:03:34 2019
> ;; MSG SIZE rcvd: 209
>
> # dig test.example.com
>
> ; <<>> DiG 9.8.3-P1 <<>> test.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;test.example.com. IN A
>
> ;; ANSWER SECTION:
> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 10 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:04:38 2019
> ;; MSG SIZE rcvd: 162
>
> # dig cname.example.com.rpz1.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.example.com.rpz1.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 8 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:07:46 2019
> ;; MSG SIZE rcvd: 224
>
> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
> [Clang 6.0 (clang-600.0.57)] on darwin
> Type "help", "copyright", "credits" or "license" for more information.
>>>>  from socket import getaddrinfo
>>>>  getaddrinfo('cname.example.com',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
> # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
>
> Note that *.m3047.net is wildcarded.
>
> # dig cname.test.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;cname.test.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
>
> ;; AUTHORITY SECTION:
> m3047.net. 7200 IN NS dns1.encirca.net.
> m3047.net. 7200 IN NS dns2.encirca.net.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 262 600 60 86400 600
> dns1.encirca.net. 97039 IN A 108.166.170.106
> dns2.encirca.net. 97039 IN A 64.62.200.132
>
> ;; Query time: 178 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:25:08 2019
> ;; MSG SIZE rcvd: 249
>
> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
> [Clang 6.0 (clang-600.0.57)] on darwin
> Type "help", "copyright", "credits" or "license" for more information.
>>>>  from socket import getaddrinfo
>>>>  getaddrinfo('cname.test.m3047.net',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> # dig cname.test.m3047.net.rpz1.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.test.m3047.net.rpz1.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 262 600 60 86400 600
>
> ;; Query time: 8 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:41:29 2019
> ;; MSG SIZE rcvd: 235


More information about the bind-users mailing list