Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers
192.168.3.72 End User 192.168.3.15 [AUTH Server for test.com] and has forwarder to 192.168.3.44 [RPZ] So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 *Which is not happening.* dig 003bbhq9.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;003bbhq9.com. IN A *;; AUTHORITY SECTION:* *com. 530 IN SOA a.gtld-servers.net <http://a.gtld-servers.net>. nstld.verisign-grs.com <http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400* ;; Query time: 0 msec ;; SERVER: 192.168.3.15#53(192.168.3.15) ;; WHEN: Sat Aug 11 08:12:17 IST 2018 ;; MSG SIZE rcvd: 114 On Sat, Aug 11, 2018 at 7:57 AM Blason R <blaso...@gmail.com> wrote: > Ok - Now I added like this and it disappeared. > > response-policy { zone "whitelist.allow" policy passthru; > zone "malware.trap"; > zone "ransomwareips.block"; } qname-wait-recurse > no break-dnssec no; > > > On Sat, Aug 11, 2018 at 7:51 AM Blason R <blaso...@gmail.com> wrote: > >> This is not accepting and giving my syntax error. >> >> named-checkconf /etc/bind/named.conf >> /etc/bind/named.conf.options:29: syntax error near '}' >> >> >> And here is I added >> >> response-policy { zone "whitelist.allow" policy passthru; >> zone "malware.trap"; >> zone "ransomwareips.block"; } qname-wait-recurse >> no break-dnssec no; }; >> >> >> >> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <c...@byington.org> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: >>> > Nah I dont think that is the answer since you need a termination after >>> > clause. >>> >>> Did you actually try the answer below? >>> >>> >>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <pvm_...@mail.ru> wrote: >>> >>> > Should be: >>> >>> >>> > response-policy {zone "whitelist.allow" policy passthru; >>> > zone "malware.trap"; >>> > zone "ransomwareips.block"; >>> > } qname-wait-recurse no break-dnssec no; >>> >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2.0.14 (GNU/Linux) >>> >>> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV >>> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y >>> =VwoG >>> -----END PGP SIGNATURE----- >>> >>> >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
