BIND RPZ is not blocking A record

[Nick Tait]

Remember that when you update a zone you need to increase the serial number (in SOA record) and tell BIND to reload the zone - e.g. run “rndc reload”.

Nick.

> On 15 Nov 2024, at 6:30 PM, Blason R <blason16 at gmail.com> wrote:
> 
> Even I tried that but still no luck
> 
> $TTL 180
> @               IN      SOA     ns1.custom.block. ns1.custom.block.
> ( 2006060301 21600 3600 604800 3600 )
>            IN  NS    ns1.custom.block.
> ns1.custom.block.       IN  A   172.1.254.243
> wg.custom.block.        IN  A   172.1.254.243
> app.hubspot.com        CNAME   .
> 
>> On Fri, Nov 15, 2024 at 7:42 AM Nick Tait via bind-users
>> <bind-users at lists.isc.org> wrote:
>> 
>>> On 14/11/2024 7:48 pm, Blason R wrote:
>>> And here is zone file
>>> 
>>> $TTL 180
>>> @               IN      SOA     ns1.custom.block. ns1.custom.block.
>>> ( 2006060301 21600 3600 604800 3600 )
>>>             IN  NS    ns1.custom.block.
>>> ns1.custom.block.       IN  A   172.1.xx.xx
>>> wg.custom.block.        IN  A   172.1.xx.xx
>>> app.hubspot.com        CNAME   wg.custom.block.
>> 
>> Hi Blason.
>> 
>> If you want app.hubspot.com to return NXDOMAIN response, try changing
>> the CNAME target to "." - i.e.:
>> 
>> app.hubspot.com        CNAME   .
>> 
>> Nick.
>> 
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users