BIND RPZ is not blocking A record

Lee ler762 at gmail.com
Fri Nov 15 10:12:59 UTC 2024 

On Thu, Nov 14, 2024 at 1:48 AM Blason R wrote:
>
> Hello Team,
>
> I am encountering an unusual problem. I am using BIND version BIND
> 9.18.19-1+ubuntu22.04.1+isc+1-Ubuntu and have configured BIND RPZ. My
> objective is to block access to app.hubspot.com, for which I have
> established a zone.
>
> response-policy {
> zone "custom.block";
> ...
> ..
> }

Try adding

     break-dnssec yes
     recursive-only no
     qname-wait-recurse no;

after the closing }

> zone "custom.block" { type master; file "/var/lib/bind/zones/custom.block.db";};
>
> And here is zone file
>
> $TTL 180
> @               IN      SOA     ns1.custom.block. ns1.custom.block.
> ( 2006060301 21600 3600 604800 3600 )

I get an error - the left paren needs to be on the SOA line

>             IN  NS    ns1.custom.block.

try it with localhost.

> ns1.custom.block.       IN  A   172.1.xx.xx
> wg.custom.block.        IN  A   172.1.xx.xx
> app.hubspot.com        CNAME   wg.custom.block.

and remove the trailing periods.

$ cat db.custom.block
$TTL 180
@       IN      SOA     localhost.  ns1.custom.block. (
        2006060301 21600 3600 604800 3600 )
        IN  NS    localhost.

wg.custom.block        IN  A   172.19.2.3
app.hubspot.com        CNAME   wg.custom.block


>
> and then I have forwarders set forwarders {
>          1.1.1.1;9.9.9.9;
>              };
>
> and unfortunately this setup is not working for only this entry I
> tried capturing a packet and I see the packets are directly being
> forwarded to forwarders not sure why?

Maybe because you're missing "qname-wait-recurse no" on the
response-policy stanza?
Or maybe because something else.. I do too much cargo-culting with bind :(

In any case:

$ dig app.hubspot.com

; <<>> DiG 9.16.50-Debian <<>> app.hubspot.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59928
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 06ad2d9bbff3719e0100000067371d9e67f1acf5b18ff038 (good)
;; QUESTION SECTION:
;app.hubspot.com.               IN      A

;; ANSWER SECTION:
app.hubspot.com.        5       IN      CNAME   wg.custom.block.custom.block.
wg.custom.block.custom.block. 180 IN    A       172.19.2.3


Regards,
Lee

More information about the bind-users mailing list