I'm attempting to set up a response policy zone on a pair of forwarders
running BIND, version 9.8.1 on the master for the zone, and version 9.9.5
on the slave.
The forwarding requests are coming from a pair of Microsoft DNS servers,
running Server 2012.
If the Microsoft DNS server is configured to forward to the master, the
clients get the correct responses, e.g. "evil.example.com" resolves to
127.0.0.1, just as I have it set up in the zone file for the RPZ. However,
if the Microsoft DNS server is configured to use the slave server as a
forwarder, the client gets an NXDOMAIN response.
Clients that query the BIND servers (master or slave) directly get the
correct 127.0.0.1 response.
I've confirmed that changing the slave into a master for the RPZ fixes the
It seems like the Microsoft DNS servers for some reason don't regard the
BIND server configured as a slave as authoritative, but I'm not sure why
that might be.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list