Hi Sami. That's not what I said. Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but it's not something I would do.
Cheers, Greg On Mon, 19 Jun 2023 at 12:40, <sami.ra...@sofrecom.com> wrote: > Thank you Greg > > So if I understand correctly if we receive a servfail return code we can > not modify this code by nxdomain with the rpz configuration? > > Regards > > > > *De :* Greg Choules <gregchoules+bindus...@googlemail.com> > *Envoyé :* lundi 19 juin 2023 12:02 > *À :* RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com> > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > > > That's because this domain is broken. The NS for it are: > > antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26) > > antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26) > > No matter what query you send them (so far) they respond with REFUSED and > claim not to be authoritative for "antlauncher.com". > > > > Personally I would live with the SERVFAIL because it tells you that > something is wrong, not just that it doesn't exist. Then try to contact the > people who own this domain and tell them it is broken. > > > > Cheers, Greg > > > > On Mon, 19 Jun 2023 at 10:33, <sami.ra...@sofrecom.com> wrote: > > Hello > > Thank you for these details Greg, by the way I worked on a problem on one > of my resolvers and there are no errors of type "SERVFAIL" currently for > valid domain names but I receive servfail for this domain name " > antlauncher.com" that's why I wanted to change the return code for this > domain name to "NXDOMAIN" so as not to distort the monitoring result . > > Regards > > *De :* Greg Choules <gregchoules+bindus...@googlemail.com> > *Envoyé :* lundi 19 juin 2023 10:03 > *À :* RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com> > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > > > Hi Sami. > > Firstly, a couple of definitions: > > NXDOMAIN is a response from an authoritative server (or a resolver because > it cached it). It is a positive confirmation that "this name does not > exist". It means that the QNAME in the query cannot be found, for any > record type. > > SERVFAIL is a response from a recursive server meaning "I tried my best to > get a response to your query but I just failed". > > > > So if your monitoring tool, whatever it is, is receiving SERVFAIL > responses from your DNS server then you need to fix whatever is causing > those in the server. > > Causes of SERVFAIL could be that your server cannot contact the > authoritative server(s) that should know the answer. Or it might be because > your server is trying to do DNSSEC validation and that is failing. > > The best way to know *why* you are getting SERVFAIL would be to take a > packet capture that includes the client queries to the server and any > queries the server makes to try and get answers, plus all the responses. > > Please do that and share the results, using real domains, not examples. > > > > Hope that helps, Greg > > > > > > On Mon, 19 Jun 2023 at 09:39, <sami.ra...@sofrecom.com> wrote: > > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name "antlauncher.com" > regards Rahal > > -----Message d'origine----- > De : bind-users <bind-users-boun...@lists.isc.org> De la part de > bind-users-requ...@lists.isc.org > Envoyé : samedi 17 juin 2023 06:23 > À : bind-users@lists.isc.org > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. replace "SERVFAIL" to "NXDOMAIN" with rpz > (sami.ra...@sofrecom.com) > 2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) > 3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) > 4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 16 Jun 2023 20:39:43 +0000 > From: sami.ra...@sofrecom.com > To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <9c4465dc103645149093f4d3f60cf...@sofrecom.com> > Content-Type: text/plain; charset="us-ascii" > > > Hello > For monitoring reasons I try to change the return code of a domain name > from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of > BIND9.16.42 as follows: > example.com IN CNAME. > *.example.com IN CNAME . > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > Kind regards > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Fri, 16 Jun 2023 20:29:16 -0700 > From: Crist Clark <cjc+bind-us...@pumpky.net> > To: sami.ra...@sofrecom.com > Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > <CAAcrURK2=+uqQ+_AvVbiAV2jpagOhd= > ozrfq_scazbn-ruz...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ > action. Something is wrong with your configuration. > > On Fri, Jun 16, 2023 at 1:39?PM <sami.ra...@sofrecom.com> wrote: > > > > > > > Hello > > > > For monitoring reasons I try to change the return code of a domain > > name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > > of > > BIND9.16.42 as follows: > > > > example.com IN CNAME. > > > > *.example.com IN CNAME . > > > > But it still doesn't work, I still have the message " SERVFAIL", is > > it feasible or not please ? > > > > Kind regards > > > > > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > > from this list > > > > ISC funds the development of this software with paid support > > subscriptions. Contact us at https://www.isc.org/contact/ for more > > information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm > > > > ------------------------------ > > Message: 3 > Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT) > From: Fred Morris <m3...@m3047.net> > To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <alpine.LSU.2.21.2306162134190.27806@flame.m3047> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Admittedly, since I'm writing software to do "off label" stuff with DNS I > make mistakes. But I have seen things along this line (interactions between > RPZ and regular resolution in the context of "broken" domains): in some > cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing > RPZ. > > I'll try to pay more attention and see if I can isolate a test case if the > problem recurs. (I was kind of hoping someone would have a solution!) > > -- > > Fred Morris > > On Fri, 16 Jun 2023, Crist Clark wrote: > > > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal > > RPZ action. Something is wrong with your configuration. > > > > On Fri, Jun 16, 2023 at 1:39?PM <sami.ra...@sofrecom.com> wrote: > >> > >> For monitoring reasons I try to change the return code of a domain > >> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > >> of > >> BIND9.16.42 as follows: > >> > >> example.com IN CNAME. > >> > >> *.example.com IN CNAME . > >> > >> But it still doesn't work, I still have the message " SERVFAIL", is > >> it feasible or not please ? > >> > > ------------------------------ > > Message: 4 > Date: Sat, 17 Jun 2023 07:22:50 +0200 > From: Ond?ej Sur? <ond...@isc.org> > To: Fred Morris <m3...@m3047.net> > Cc: bind-users@lists.isc.org > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.htm > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: favicon.ico > Type: image/x-icon > Size: 766 bytes > Desc: not available > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.bin > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > ------------------------------ > > End of bind-users Digest, Vol 4262, Issue 1 > ******************************************* > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
