Internal CNAME in RPZ
Andrey Geyn
andgein at yandex-team.ru
Wed Oct 23 17:21:08 UTC 2019
Hi, Fred!
Thank for your reply and tests.
The questions you ask are my questions too, just asked more professionally. Thanks for it :)
Okay, let's use only variant with trailing dot, thank you for clarification.
I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ
(first one returns only
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
second one returns two RRs:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128)
In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf:
"""
options {
response-policy {zone "rpz"; };
}
zone "rpz" {
type master;
file "/etc/bind/rpz.zone";
};
"""
And rpz.zone:
"""
$TTL 1H
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
cname.domain.com CNAME test.domain.com.
test.domain.com A 10.10.10.10
"""
So I run "dig cname.domain.com @127.0.0.1" and result is
"""
...
;; QUESTION SECTION:
;cname.domain.com. IN A
;; ANSWER SECTION:
cname.domain.com. 5 IN CNAME test.domain.com.
test.domain.com. 599 IN A 66.96.162.92
;; AUTHORITY SECTION:
. 5211 IN NS c.root-servers.net.
. 5211 IN NS e.root-servers.net.
. 5211 IN NS k.root-servers.net.
. 5211 IN NS l.root-servers.net.
. 5211 IN NS g.root-servers.net.
. 5211 IN NS d.root-servers.net.
. 5211 IN NS i.root-servers.net.
. 5211 IN NS a.root-servers.net.
. 5211 IN NS b.root-servers.net.
. 5211 IN NS m.root-servers.net.
. 5211 IN NS f.root-servers.net.
. 5211 IN NS h.root-servers.net.
. 5211 IN NS j.root-servers.net.
...
"""
(as for you in second test).
And yes, resolving via RPZ suffix is working as well:
# dig cname.domain.com.rpz @127.0.0.1
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> cname.domain.com.rpz @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 33d9dfa596759fe554fb08f15db08b141f084f760f479882 (good)
;; QUESTION SECTION:
;cname.domain.com.rpz. IN A
;; ANSWER SECTION:
cname.domain.com.rpz. 3600 IN CNAME test.domain.com.
test.domain.com. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz. 3600 IN NS LOCALHOST.
Andrey
23.10.2019, 21:49, "m3047" <m3047 at m3047.net>:
> Hi, so Andrey,
>
> Your output doesn't reflect what I would expect to see from an
> RPZ-mediated query, but rather what I would expect to see if querying a
> zone, such as the RPZ itself, directly. So I am not sure I understand your
> question.
>
> To the broader ISC community: however, I'm confused by the response I'm
> getting. Oddly enough dig is giving me the unexpected results, and
> (Python) socket.getaddrinfo() does what I expect. It appears that CNAME
> resolution within RPZ is escaping...
>
> On Wed, 23 Oct 2019, Andrey Geyn wrote:
>
>> Date: Wed, 23 Oct 2019 19:34:39 +0500
>> From: Andrey Geyn <andgein at yandex-team.ru>
>> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>> Subject: Internal CNAME in RPZ
>>
>> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>>
>> 1.
>> cname.domain.com CNAME test.domain.com (without trailing dot)
>> test.domain.com A 10.10.10.10
>
> Trailing dot is needed.
>
>> 2.
>> cname.domain.com CNAME test.domain.com. (with trailing dot)
>> test.domain.com A 10.10.10.10
>
> Yes I believe this to be correct.
>
>> # dig cname.domain.com @127.0.0.1
>>
>> cname.domain.com. 5 IN CNAME test.domain.com.
>> test.domain.com. 531 IN A 66.96.162.92
>
> # net-dns.pl add rpz cname.example.com CNAME test.example.com.
> # net-dns.pl add rpz test.example.com A 10.10.10.10
>
> Here's the answer I didn't expect, from dig:
>
> # dig +short cname.example.com TEST.EXAMPLE.COM.
> # dig +short test.example.com 10.10.10.10
>
> It did not follow the CNAME chain. Here's what I expected, from
> getaddrinfo():
>
>>>> from socket import getaddrinfo
>>>> getaddrinfo('cname.example.com',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> All the rest of the queries follow. The recursive resolver (at 10.0.0.220)
> is running 9.12.3-p1. I tested with versions of dig up to and including
> 9.12.3-p1
>
> Notice that in the very first test below the AUTHORITY refers to
> icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated
> with a different domain with the rationale that example.com was
> confounding results, and got something similar.
>
> Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net
> does the reverse, looking up actual.test.m3047.net from the RPZ instead of
> the real world.
>
> --
>
> Fred Morris
>
> --
>
> # dig cname.example.com
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.example.com. IN A
>
> ;; ANSWER SECTION:
> CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
>
> ;; AUTHORITY SECTION:
> EXAMPLE.COM. 3600 IN SOA ns.icann.org.
> noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 1142 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:03:34 2019
> ;; MSG SIZE rcvd: 209
>
> # dig test.example.com
>
> ; <<>> DiG 9.8.3-P1 <<>> test.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;test.example.com. IN A
>
> ;; ANSWER SECTION:
> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 10 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:04:38 2019
> ;; MSG SIZE rcvd: 162
>
> # dig cname.example.com.rpz1.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.example.com.rpz1.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
> TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 260 600 60 86400 600
>
> ;; Query time: 8 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:07:46 2019
> ;; MSG SIZE rcvd: 224
>
> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
> [Clang 6.0 (clang-600.0.57)] on darwin
> Type "help", "copyright", "credits" or "license" for more information.
>>>> from socket import getaddrinfo
>>>> getaddrinfo('cname.example.com',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
> # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
>
> Note that *.m3047.net is wildcarded.
>
> # dig cname.test.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;cname.test.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
>
> ;; AUTHORITY SECTION:
> m3047.net. 7200 IN NS dns1.encirca.net.
> m3047.net. 7200 IN NS dns2.encirca.net.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 262 600 60 86400 600
> dns1.encirca.net. 97039 IN A 108.166.170.106
> dns2.encirca.net. 97039 IN A 64.62.200.132
>
> ;; Query time: 178 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:25:08 2019
> ;; MSG SIZE rcvd: 249
>
> Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
> [Clang 6.0 (clang-600.0.57)] on darwin
> Type "help", "copyright", "credits" or "license" for more information.
>>>> from socket import getaddrinfo
>>>> getaddrinfo('cname.test.m3047.net',80)
>
> [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
> ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
> <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]
>
> # dig cname.test.m3047.net.rpz1.m3047.net
>
> ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;cname.test.m3047.net.rpz1.m3047.net. IN A
>
> ;; ANSWER SECTION:
> CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
> ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
>
> ;; AUTHORITY SECTION:
> rpz1.m3047.net. 900 IN NS LOCALHOST.
>
> ;; ADDITIONAL SECTION:
> rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
> 262 600 60 86400 600
>
> ;; Query time: 8 msec
> ;; SERVER: 10.0.0.220#53(10.0.0.220)
> ;; WHEN: Wed Oct 23 09:41:29 2019
> ;; MSG SIZE rcvd: 235
More information about the bind-users
mailing list