Hi Eduardo.
On Thu, 15 Aug 2019, Eduardo Bonsi wrote:
First, thank you for taking the time to layout your views and suggestion!
;-)
NOTE: This is a perfect use case for off-label use of RPZ, you could
define your PTR record in an RPZ and you wouldn't need to take over the
whole zone.
Thank you for this suggestion! It would be great to have some examples,
if is not to ask you too much already!
Sure. 8-) Do you have waldo in your domain?
# dig waldo.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;waldo.bonsi.org. IN A
;; AUTHORITY SECTION:
bonsi.org. 300 IN SOA
ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 56 21600
3600 259200 300
;; Query time: 540 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:52:54 2019
;; MSG SIZE rcvd: 129
Let's fix that:
# net-dns.pl add white waldo.bonsi.org A 10.9.8.7
(That's a script which dynamically updates the zone whitelist.m3047.net, a
local vanity domain.)
# dig waldo.bonsi.org.whitelist.m3047.net
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org.whitelist.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42402
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;waldo.bonsi.org.whitelist.m3047.net. IN A
;; ANSWER SECTION:
WALDO.BONSI.ORG.whitelist.m3047.net. 600 IN A 10.9.8.7
;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:55:41 2019
;; MSG SIZE rcvd: 104
Let's make sure I didn't break your zone:
# dig www.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> www.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.bonsi.org. IN A
;; ANSWER SECTION:
www.bonsi.org. 21600 IN A 162.201.66.177
;; Query time: 126 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:56:49 2019
;; MSG SIZE rcvd: 47
Looks good. Where's waldo?
# dig waldo.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16655
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;waldo.bonsi.org. IN A
;; ANSWER SECTION:
WALDO.BONSI.ORG. 5 IN A 10.9.8.7
;; ADDITIONAL SECTION:
whitelist.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
364 600 60 86400 600
;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:57:26 2019
;; MSG SIZE rcvd: 142
You'll notice that the authority comes from whitelist.m3047.net, and that
I didn't have to take over your entire zone in order to rewrite that
particular FQDN. This does break DNSSEC.
How does this hang together in the BIND config?
# cat /etc/named.conf
...
options {
...
// RPZs
response-policy {
zone "whitelist.m3047.net";
zone "rpz1.m3047.net";
};
...
};
...
zone "whitelist.m3047.net" {
type master;
check-names ignore;
file "whitelist.m3047.net";
};
...
# rndc freeze whitelist.m3047.net
# rndc thaw whitelist.m3047.net
# cat whitelist.m3047.net
$ORIGIN .
$TTL 900 ; 15 minutes
whitelist.m3047.net IN SOA DEV.NULL. M3047.M3047.NET. (
364 ; serial
600 ; refresh (10 minutes)
60 ; retry (1 minute)
86400 ; expire (1 day)
600 ; minimum (10 minutes)
)
NS LOCALHOST.
...
$ORIGIN AP.ORG.whitelist.m3047.net.
* CNAME rpz-passthru.
$ORIGIN ORG.whitelist.m3047.net.
WALDO.BONSI A 10.9.8.7
$ORIGIN CONSUMERREPORTSCDN.ORG.whitelist.m3047.net.
* CNAME rpz-passthru.
...
(RPZs have special semantics for actions like passthrough and NXDOMAIN.)
Fundamentally, you're not authoritative for the zone:
I am totally aware about that! That would be more simple if I just go
ahead and order some static ips from AT&T ...and that would cost me an
arm and a leg and get done with it! Then, "probably" I would not > be
here asking this question at all.
We are referring to the in-addr.arpa zone, just to be clear. There is
reverse for it, it's just provided by SW Bell. It's not pointing to an
FQDN within your zone (bonsi.org). That could be seen as "spammy", but a
lot of people outsource email these days. (It would be interesting to know
just how "spammy" that is as a feature in reality and in perception.) Some
people view anything with a reverse like that to be "customer prem" and
therefore spammy. Regardless, they provide forward that matches the
reverse:
# dig 162-201-66-177.lightspeed.sntcca.sbcglobal.net +short
162.201.66.177
Having an MTA for your zone which announces its name as something
different than what it reverses to is widely considered spammy. You do
control the domain bonsi.org however, and I don't see why you can't name
162-201-66-177.lightspeed.sntcca.sbcglobal.net as your MX. Define SPF for
good measure. If you've got the host named something else, you may have to
take special measures configuring the MTA software so that it uses the
sbcglobal.net FQDN in headers it generates.
Yes, I am aware about that too! Even thou, I am not authoritative
according to the BIND rules, I do have authoritative control of the
zone bonsi.org at the registrar GoogleDomains.com.
bonsi.org is (ultimately) delegated from .org. 177.66.201.162.in-addr.arpa
is delegated from .arpa. There is no explicit control between the two. An
organization might be delegated control over the reverse for a block of
addresses it is pointing into or it might not. According to whois:
66.201.162.in-addr.arpa: not delegated
201.162.in-addr.arpa: SBC Global / SW Bell
162.in-addr.arpa: ARIN
Google has no control at any level of the delegation chain.
The only one with authority to reverse that ip is AT&T and as I mention
before, AT&T is not going to do that unless I pay them the extra, extra
bucks for static IPs.
[...]
I am aware of that! I just could ask AT&T to reverse the domain. I am
only running a catching namesever locally, (No recursion) and for that
I am only authoritative for the internal zones. Here, I can do >that
without having to request anybody ... :)
[server:~] root# dig @127.0.0.1 -x 192.168.1.3
; <<>> DiG 9.10.6 <<>> @127.0.0.1 -x 192.168.1.3
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48149
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;3.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
3.1.168.192.in-addr.arpa. 3600 IN PTR bonsi.org.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 3600 IN NS ns1.bonsi.org.
1.168.192.in-addr.arpa. 3600 IN NS ns3.bonsi.org.
1.168.192.in-addr.arpa. 3600 IN NS ns2.bonsi.org.
;; ADDITIONAL SECTION:
ns1.bonsi.org. 3600 IN A 192.168.1.21
ns2.bonsi.org. 3600 IN A 192.168.1.31
ns3.bonsi.org. 3600 IN A 192.168.1.41
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 15 14:27:33 PDT 2019
;; MSG SIZE rcvd: 178
Yup.
--
Fred
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users