BIND RPZ is not blocking A record

Blason R blason16 at gmail.com
Fri Nov 15 13:05:45 UTC 2024 

Hmmm - Ok let me try doing that.  Thanks for letting me know

On Fri, Nov 15, 2024 at 3:43 PM Lee <ler762 at gmail.com> wrote:
>
> On Thu, Nov 14, 2024 at 1:48 AM Blason R wrote:
> >
> > Hello Team,
> >
> > I am encountering an unusual problem. I am using BIND version BIND
> > 9.18.19-1+ubuntu22.04.1+isc+1-Ubuntu and have configured BIND RPZ. My
> > objective is to block access to app.hubspot.com, for which I have
> > established a zone.
> >
> > response-policy {
> > zone "custom.block";
> > ...
> > ..
> > }
>
> Try adding
>
>      break-dnssec yes
>      recursive-only no
>      qname-wait-recurse no;
>
> after the closing }
>
> > zone "custom.block" { type master; file "/var/lib/bind/zones/custom.block.db";};
> >
> > And here is zone file
> >
> > $TTL 180
> > @               IN      SOA     ns1.custom.block. ns1.custom.block.
> > ( 2006060301 21600 3600 604800 3600 )
>
> I get an error - the left paren needs to be on the SOA line
>
> >             IN  NS    ns1.custom.block.
>
> try it with localhost.
>
> > ns1.custom.block.       IN  A   172.1.xx.xx
> > wg.custom.block.        IN  A   172.1.xx.xx
> > app.hubspot.com        CNAME   wg.custom.block.
>
> and remove the trailing periods.
>
> $ cat db.custom.block
> $TTL 180
> @       IN      SOA     localhost.  ns1.custom.block. (
>         2006060301 21600 3600 604800 3600 )
>         IN  NS    localhost.
>
> wg.custom.block        IN  A   172.19.2.3
> app.hubspot.com        CNAME   wg.custom.block
>
>
> >
> > and then I have forwarders set forwarders {
> >          1.1.1.1;9.9.9.9;
> >              };
> >
> > and unfortunately this setup is not working for only this entry I
> > tried capturing a packet and I see the packets are directly being
> > forwarded to forwarders not sure why?
>
> Maybe because you're missing "qname-wait-recurse no" on the
> response-policy stanza?
> Or maybe because something else.. I do too much cargo-culting with bind :(
>
> In any case:
>
> $ dig app.hubspot.com
>
> ; <<>> DiG 9.16.50-Debian <<>> app.hubspot.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59928
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1432
> ; COOKIE: 06ad2d9bbff3719e0100000067371d9e67f1acf5b18ff038 (good)
> ;; QUESTION SECTION:
> ;app.hubspot.com.               IN      A
>
> ;; ANSWER SECTION:
> app.hubspot.com.        5       IN      CNAME   wg.custom.block.custom.block.
> wg.custom.block.custom.block. 180 IN    A       172.19.2.3
>
>
> Regards,
> Lee

More information about the bind-users mailing list