Internal CNAME in RPZ

Bob Harold rharolde at umich.edu
Thu Oct 24 14:53:19 UTC 2019


On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn <andgein at yandex-team.ru> wrote:

> Hi, Bob, thank you for response!
>
> What if I want to make following configuration (as an example):
>
> domain.com    A    10.10.10.10
> *.domain.com  CNAME    domain.com
>
> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's
> here.
>

Sorry, that is not how RPZ was designed to work.
You can make the second one:
      *.domain.com  CNAME    my10.realdomain.com.
Where there is a real domain (not the RPZ domain) with:
       my10.realdomain.com. A  10.10.10.10

Or make them both "A" records.  Or both CNAME.  But one RPZ entry cannot
point to another.
Use scripts to automate the process, if you don't want to enter 10.10.10.10
twice.

p.s.  The decision not to re-lookup the results of RPZ lookups is probably
for speed and to avoid loops.  Trying to patch around that is not a
good idea.

-- 
Bob Harold


>
> > Do you want cname.domain.com to point to 10.10.10.10?  Then use an A
> record to 10.10.10.10.
> This sentence sounds like «CNAME are useless at all» :-). Do you want some
> domain to point to some address? The use an A record, not CNAME!
>
> Additionally, I already use patched version of BIND. Maybe it is possible
> to make some patch for allowing this behaivor?
>
> Andrey
>
> 24.10.2019, 18:06, "Bob Harold" <rharolde at umich.edu>:
>
>
> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andgein at yandex-team.ru>
> wrote:
>
> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>
> 1.
> cname.domain.com        CNAME   test.domain.com    (without trailing dot)
> test.domain.com         A       10.10.10.10
>
>
> There is a misunderstanding here.  You would never redirect a domain in
> RPZ to another domain in RPZ.
> Domains in RPZ must always be redirected to a real domain.  You cannot
> point it to the wrong place, and then expect it to be redirected again.  It
> does not work that way.
> Those two RPZ entries are completely separate.
> Do you want cname.domain.com to point to 10.10.10.10?  Then use an A
> record to 10.10.10.10.
> Do you want cname.domain.com to point to some real domain name (probably
> a name you control, like a walled garden, or error page)?  Then CNAME to
> that real name.
>
> --
> Bob Harold
>
>
>
>
> In this case I receive
>
> # dig cname.domain.com @127.0.0.1
> ...
> cname.domain.com.       5       IN      CNAME   test.domain.com.rpz.
> test.domain.com.rpz.    3600    IN      A       10.10.10.10
> ...
>
> So, it looks good, but RPZ name is visible, which is unwanted for me.
>
> 2.
> cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
> test.domain.com         A       10.10.10.10
>
> In this case I receive
>
>
> # dig cname.domain.com @127.0.0.1
> cname.domain.com.       5       IN      CNAME   test.domain.com.
> test.domain.com.        531     IN      A       66.96.162.92
>
> (66.98.162.92 is real, «internet» address of test.domain.com)
>
>
> Is it possible to make configuration for internal CNAME's in RPZ in which
> RPZ name will be not visible to user?
>
> Best regards,
> Andrey Geyn
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20191024/acd1a6da/attachment-0001.htm>


More information about the bind-users mailing list