From Newsgroup: comp.protocols.dns.bind
--00000000000041aafc05ab7f255b
Content-Type: text/plain; charset="UTF-8"
Hi all,
BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2
are local overrides blacklist/whitelist).
The response-policy and RPZ zones configurations are as follows
        response-policy {
                zone "rpz.local.whitelist" policy passthru;
                zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com;
                zone "rpz.whitelist"    policy passthru;
                zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
        };
        zone "rpz.local.whitelist"{
            type master;
            file "zones/master/rpz.local.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.local.blacklist" {
            type master;
            file "zones/master/rpz.local.blacklist.db";
            allow-query { localhost; };
        };
        zone "rpz.whitelist"{
            type master;
            file "zones/master/rpz.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.blacklist" {
            type master;
            file "zones/master/rpz.blacklist.db";
            allow-query { localhost; };
        };
Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com. sinkhole-feed.domain.com. 900 IN A 127.66.66.66
I would expect the rpz.whitelist would allow *.live.com (passthru).
However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net. odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net
.
odc-web-brs.onedrive.akadns.net. 36 IN CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN CNAME l-0004.l-msedge.net.
l-0004.l-msedge.net. 240 IN A 13.107.42.13
RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
be.
I have noticed that the last workable version is BIND 9.11.6-P1. I have
tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
and all produce the same issue.
Has anyone experienced a similar issue here? or have I
mis-configured something?
Thanks
myOcella
--00000000000041aafc05ab7f255b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi all,<div><br></div><div>BIND version: 9.11.21</div><div= >OS: RHEL 7</div><div>Compile options: ./configure --prefix=3D/usr --locals= tatedir=3D/var --sysconfdir=3D/etc --with-openssl --enable-largefile --disa= ble-ipv6 --enable-threads --enable-filter-aaaa</div><div><br></div><div>I h= ave configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are = local overrides blacklist/whitelist).=C2=A0=C2=A0</div><div>The response-po= licy and RPZ zones configurations are as=C2=A0follows</div><div><br></div><= div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 response-policy {<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zone "rpz.local.whitelist" pol= icy passthru;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zo=
ne "rpz.local.blacklist" policy cname <a href=3D"
http://sinkhole-= local.domain.com">sinkhole-local.domain.com</a>;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zone "rpz.whitelist" =C2=A0 = =C2=A0policy passthru;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 zone "rpz.blacklist" policy cname <a href=3D"
http://sinkho= le-feed.domain.com">sinkhole-feed.domain.com</a>;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 };<br></div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone "rpz.local.wh= itelist"{<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br= >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file "zones/master/rpz.loca= l.whitelist.db";<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-qu= ery { localhost; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 zone "rpz.local.blacklist" {<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 file "zones/master/rpz.local.blacklist.db";<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query { localhost; };<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone "rpz.whitelist&qu= ot;{<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file "zones/master/rpz.whitelist.db= ";<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query { localhos=
t; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone=
 "rpz.blacklist" {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 t= ype master;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file "zones/m= aster/rpz.blacklist.db";<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = allow-query { localhost; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br></div><div= ><br></div><div>Contents of zones that are relevant to the issue</div><div>=
# grep "*\.live\.com" rpz.*<br></div><div>rpz.blacklist.db:onedri= ve.live.com.rpz.blacklist. 3600 IN A	127.66.66.66<br></div><div>rpz.blackli= st.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66</div><div><div>rpz.w= hitelist.db:*.live.com.rpz.whitelist. 3600	IN	CNAME	rpz.passthru.<br></div>=
<div></div></div><div><br></div><div># dig=C2=A0@dnsserver=C2=A0<a href=3D"= 
http://onedrive.live.com">onedrive.live.com</a></div><div>;; QUESTION SECTI= ON:<br>;<a href=3D"
http://onedrive.live.com">onedrive.live.com</a>.		IN	A<b=
<br>;; ANSWER SECTION:<br><a href=3D"http://onedrive.live.com">onedrive.l= ive.com</a>.	5	IN	CNAME	<a href=3D"http://sinkhole-feed.domain.com">sinkhol=
e-feed.domain.com</a>.<br><a href=3D"
http://sinkhole-feed.domain.com">sinkh= ole-feed.domain.com</a>. 900	IN A	127.66.66.66<br></div><div><br></div><div=
I would expect the rpz.whitelist would allow *.<a href=3D"http://live.com"= >live.com</a> (passthru).=C2=A0</div><div><br></div><div>However, if I add = the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override = the external feeds, the FQDN resolution works</div><div><br></div><div><div=
# grep "*\.live\.com" rpz.*<br></div><div>rpz.blacklist.db:onedr= ive.live.com.rpz.blacklist. 3600 IN A	127.66.66.66<br></div><div>rpz.blackl= ist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66</div><div></div></d= iv><div>rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist.		=
IN	CNAME	rpz-passthru.</div><div>rpz.whitelist.db:*.live.com.rpz.whitelist.=
 3600	IN	CNAME	rpz.passthru.<br></div><div><div><br></div><div><div># dig=
=C2=A0@dnsserver=C2=A0<a href=3D"
http://onedrive.live.com">onedrive.live.co= m</a></div><div>;; QUESTION SECTION:<br>;<a href=3D"
http://onedrive.live.co= m">onedrive.live.com</a>.		IN	A<br><br>;; ANSWER SECTION:<br><a href=3D"htt=
p://onedrive.live.com">onedrive.live.com</a>.	60	IN	CNAME	<a href=3D"http:/=
/odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akadns.net</a>.<br><=
a href=3D"
http://odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akad= ns.net</a>. 36 IN	CNAME	<a href=3D"
http://odc-web-brs.onedrive.akadns.net">=
odc-web-brs.onedrive.akadns.net</a>.<br><a href=3D"
http://odc-web-brs.onedr= ive.akadns.net">odc-web-brs.onedrive.akadns.net</a>. 36 IN	CNAME	<a href=3D=
"
http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net= ">odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net</a>.<= br><a href=3D"
http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004= .l-msedge.net">odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-mse= dge.net</a>. 240 IN CNAME <a href=3D"
http://l-0004.l-msedge.net">l-0004.l-m= sedge.net</a>.<br><a href=3D"
http://l-0004.l-msedge.net">l-0004.l-msedge.ne= t</a>.	240	IN	A	13.107.42.13<br></div></div><div><br></div><div>RPZ wildcar=
d domain whitelist (passthru) doesn't seem to work as it should be.=C2= =A0</div><div><br></div><div>I have noticed that the last workable version =
is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11= .8, 9.11.19 and 9.11.21, and all produce the same issue.</div><div><br></di= v><div>Has anyone experienced a similar issue here? or have I mis-configure= d=C2=A0something?</div><div><br></div><div>Thanks</div><div>myOcella</div><= div><br></div><div></div></div></div>
--00000000000041aafc05ab7f255b--
--- Synchronet 3.18a-Linux NewsLink 1.113