>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules <gregchou...@googlemail.com>
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "antlauncher.com" doesn't is down
> to BIND needing to perform recursion and get an answer before RPZ kicks in
> and overwrites it (unless you specify `qname-wait-recurse no;`). "
> example.com" actually gets an answer (from IANA) but "antlauncher.com"
> gets REFUSED.
>
> Wireshark it and see.
>
> By the way, I have been testing this on 9.18.15
> Cheers, Greg
>
>
> On Mon, 19 Jun 2023 at 16:10, Lee <ler...@gmail.com> wrote:
>
>> On 6/19/23, sami.rahal wrote:
>> > Thank you Greg
>> >
>> > I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN"
>> is it
>> > not working
>>
>> You're missing "break-dnssec yes" on your response-policy stanza?
>> You need something like
>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
>> break-dnssec yes
>> recursive-only no
>> qname-wait-recurse no;
>> # enable rpz
>> # By default, RPZ actions are applied only to DNS requests that either
>> do not
>> # request DNSSEC metadata (DO=0) or when no DNSSEC records are
>> available for
>> # request name in the original zone (not the response policy zone).
>> # This default can be changed for all response policy zones in a view
>> with a
>> # break-dnssec yes clause. In that case, RPZ actions are applied
>> regardless
>> # of DNSSEC.
>> #
>> # zone "rpz.mozilla";
>> #
>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
>>
>> Regards,
>> Lee
>>
>> >
>> > I use CentOS7 with BIND9.16.41
>> >
>> >
>> >
>> > grep antlauncher db.rpz
>> >
>> > antlauncher.com CNAME .
>> >
>> > *.antlauncher.com CNAME .
>> >
>> >
>> >
>> > grep example db.rpz
>> >
>> > example.com IN CNAME .
>> >
>> > *.example.com IN CNAME .
>> >
>> >
>> >
>> > dig @0 foo.antlauncher.com
>> >
>> >
>> >
>> > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0
>> > foo.antlauncher.com ; (1 server found) ;; global options: +cmd ;; Got
>> > answer:
>> >
>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr
>> rd
>> > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> >
>> >
>> >
>> > ;; OPT PSEUDOSECTION:
>> >
>> > ; EDNS: version: 0, flags:; udp: 4096
>> >
>> > ;; QUESTION SECTION:
>> >
>> > ;foo.antlauncher.com. IN A
>> >
>> >
>> >
>> > ;; Query time: 241 msec
>> >
>> > ;; SERVER: 127.0.0.1#53(0.0.0.0)
>> >
>> > ;; WHEN: Mon Jun 19 10:52:22 CET 2023
>> >
>> > ;; MSG SIZE rcvd: 48
>> >
>> >
>> >
>> > # dig @0 example.com
>> >
>> >
>> >
>> > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com
>> ; (1
>> > server found) ;; global options: +cmd ;; Got answer:
>> >
>> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr
>> rd
>> > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>> >
>> >
>> >
>> > ;; OPT PSEUDOSECTION:
>> >
>> > ; EDNS: version: 0, flags:; udp: 4096
>> >
>> > ;; QUESTION SECTION:
>> >
>> > ;example.com. IN A
>> >
>> >
>> >
>> > ;; ADDITIONAL SECTION:
>> >
>> > siteblockeddb. 1 IN SOA LOCALHOST.
>> > need.to.know.only. 2016011100 43200 900 1814400 7200
>> >
>> >
>> >
>> > ;; Query time: 347 msec
>> >
>> > ;; SERVER: 127.0.0.1#53(0.0.0.0)
>> >
>> > ;; WHEN: Mon Jun 19 10:52:36 CET 2023
>> >
>> > ;; MSG SIZE rcvd: 115
>> >
>> >
>> >
>> >
>> > De : Greg Choules <gregchoules+bindus...@googlemail.com>
>> > Envoyé : lundi 19 juin 2023 15:12
>> > À : RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com>
>> > Cc : bind-users@lists.isc.org
>> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> >
>> > Hi Sami.
>> > That's not what I said.
>> > Yes, you can do this with RPZ if you want - it's all in the BIND ARM -
>> but
>> > it's not something I would do.
>> >
>> > Cheers, Greg
>> >
>> > On Mon, 19 Jun 2023 at 12:40,
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
>> > Thank you Greg
>> > So if I understand correctly if we receive a servfail return code we
>> can not
>> > modify this code by nxdomain with the rpz configuration?
>> > Regards
>> >
>> > De : Greg Choules
>> > <gregchoules+bindus...@googlemail.com<mailto:
>> gregchoules%2bbindus...@googlemail.com>>
>> > Envoyé : lundi 19 juin 2023 12:02
>> > À : RAHAL Sami SOFRECOM
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>
>> > Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> >
>> > That's because this domain is broken. The NS for it are:
>> > antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
>> > ns1626.ztomy.com<http://ns1626.ztomy.com> (204.11.56.26)
>> > antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
>> > ns2626.ztomy.com<http://ns2626.ztomy.com> (204.11.57.26)
>> > No matter what query you send them (so far) they respond with REFUSED
>> and
>> > claim not to be authoritative for
>> > "antlauncher.com<http://antlauncher.com>".
>> >
>> > Personally I would live with the SERVFAIL because it tells you that
>> > something is wrong, not just that it doesn't exist. Then try to contact
>> the
>> > people who own this domain and tell them it is broken.
>> >
>> > Cheers, Greg
>> >
>> > On Mon, 19 Jun 2023 at 10:33,
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
>> > Hello
>> > Thank you for these details Greg, by the way I worked on a problem on
>> one of
>> > my resolvers and there are no errors of type "SERVFAIL" currently for
>> valid
>> > domain names but I receive servfail for this domain name
>> > "antlauncher.com<http://antlauncher.com>" that's why I wanted to
>> change the
>> > return code for this domain name to "NXDOMAIN" so as not to distort the
>> > monitoring result .
>> > Regards
>> > De : Greg Choules
>> > <gregchoules+bindus...@googlemail.com<mailto:
>> gregchoules%2bbindus...@googlemail.com>>
>> > Envoyé : lundi 19 juin 2023 10:03
>> > À : RAHAL Sami SOFRECOM
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>
>> > Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> >
>> > Hi Sami.
>> > Firstly, a couple of definitions:
>> > NXDOMAIN is a response from an authoritative server (or a resolver
>> because
>> > it cached it). It is a positive confirmation that "this name does not
>> > exist". It means that the QNAME in the query cannot be found, for any
>> record
>> > type.
>> > SERVFAIL is a response from a recursive server meaning "I tried my best
>> to
>> > get a response to your query but I just failed".
>> >
>> > So if your monitoring tool, whatever it is, is receiving SERVFAIL
>> responses
>> > from your DNS server then you need to fix whatever is causing those in
>> the
>> > server.
>> > Causes of SERVFAIL could be that your server cannot contact the
>> > authoritative server(s) that should know the answer. Or it might be
>> because
>> > your server is trying to do DNSSEC validation and that is failing.
>> > The best way to know *why* you are getting SERVFAIL would be to take a
>> > packet capture that includes the client queries to the server and any
>> > queries the server makes to try and get answers, plus all the responses.
>> > Please do that and share the results, using real domains, not examples.
>> >
>> > Hope that helps, Greg
>> >
>> >
>> > On Mon, 19 Jun 2023 at 09:39,
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
>> > Hello Thank you for your feedback,
>> > yes it works like that! for that does not work for a domain name that
>> > already has the return code "SERVFAIL" and we want to change this code
>> by
>> > "NXDDOMAIN" like this domain name "antlauncher.com<
>> http://antlauncher.com>"
>> > regards Rahal
>> >
>> > -----Message d'origine-----
>> > De : bind-users
>> > <bind-users-boun...@lists.isc.org<mailto:
>> bind-users-boun...@lists.isc.org>>
>> > De la part de
>> > bind-users-requ...@lists.isc.org<mailto:
>> bind-users-requ...@lists.isc.org>
>> > Envoyé : samedi 17 juin 2023 06:23
>> > À : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > Objet : bind-users Digest, Vol 4262, Issue 1
>> >
>> > Send bind-users mailing list submissions to
>> > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> >
>> > To subscribe or unsubscribe via the World Wide Web, visit
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> > or, via email, send a message with subject or body 'help' to
>> >
>> > bind-users-requ...@lists.isc.org<mailto:
>> bind-users-requ...@lists.isc.org>
>> >
>> > You can reach the person managing the list at
>> >
>> > bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org>
>> >
>> > When replying, please edit your Subject line so it is more specific than
>> > "Re: Contents of bind-users digest..."
>> >
>> >
>> > Today's Topics:
>> >
>> > 1. replace "SERVFAIL" to "NXDOMAIN" with rpz
>> > (sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>)
>> > 2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
>> > 3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
>> > 4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)
>> >
>> >
>> > ----------------------------------------------------------------------
>> >
>> > Message: 1
>> > Date: Fri, 16 Jun 2023 20:39:43 +0000
>> > From: sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>
>> > To: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>"
>> > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>
>> > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> > Message-ID:
>> > <9c4465dc103645149093f4d3f60cf...@sofrecom.com<mailto:
>> 9c4465dc103645149093f4d3f60cf...@sofrecom.com>>
>> > Content-Type: text/plain; charset="us-ascii"
>> >
>> >
>> > Hello
>> > For monitoring reasons I try to change the return code of a domain name
>> from
>> > "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of
>> BIND9.16.42
>> > as follows:
>> > example.com IN CNAME.
>> > *.example.com IN CNAME .
>> > But it still doesn't work, I still have the message " SERVFAIL", is it
>> > feasible or not please ?
>> > Kind regards
>> >
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL:
>> > <
>> https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm
>> >
>> >
>> > ------------------------------
>> >
>> > Message: 2
>> > Date: Fri, 16 Jun 2023 20:29:16 -0700
>> > From: Crist Clark
>> > <cjc+bind-us...@pumpky.net<mailto:cjc%2bbind-us...@pumpky.net>>
>> > To: sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>
>> > Cc: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>"
>> > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>
>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> > Message-ID:
>> >
>> > <CAAcrURK2=+uqQ+_AvVbiAV2jpagOhd=ozrfq_scazbn-ruz...@mail.gmail.com
>> <mailto:ozrfq_scazbn-ruz...@mail.gmail.com>>
>> > Content-Type: text/plain; charset="utf-8"
>> >
>> > That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ
>> > action. Something is wrong with your configuration.
>> >
>> > On Fri, Jun 16, 2023 at 1:39?PM
>> > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
>> >
>> >>
>> >>
>> >> Hello
>> >>
>> >> For monitoring reasons I try to change the return code of a domain
>> >> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration
>> >> of
>> >> BIND9.16.42 as follows:
>> >>
>> >> example.com IN CNAME.
>> >>
>> >> *.example.com IN CNAME .
>> >>
>> >> But it still doesn't work, I still have the message " SERVFAIL", is
>> >> it feasible or not please ?
>> >>
>> >> Kind regards
>> >>
>> >>
>> >> --
>> >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> >> from this list
>> >>
>> >> ISC funds the development of this software with paid support
>> >> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> >> information.
>> >>
>> >>
>> >> bind-users mailing list
>> >> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> >> https://lists.isc.org/mailman/listinfo/bind-users
>> >>
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL:
>> > <
>> https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm
>> >
>> >
>> > ------------------------------
>> >
>> > Message: 3
>> > Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT)
>> > From: Fred Morris <m3...@m3047.net<mailto:m3...@m3047.net>>
>> > To: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>"
>> > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>
>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> > Message-ID:
>> > <alpine.LSU.2.21.2306162134190.27806@flame.m3047<mailto:
>> alpine.LSU.2.21.2306162134190.27806@flame.m3047>>
>> > Content-Type: text/plain; charset="utf-8"; Format="flowed"
>> >
>> > Admittedly, since I'm writing software to do "off label" stuff with DNS
>> I
>> > make mistakes. But I have seen things along this line (interactions
>> between
>> > RPZ and regular resolution in the context of "broken" domains): in some
>> > cases it has seemed impossible to ameliorate / mitigate SERVFAIL
>> utilizing
>> > RPZ.
>> >
>> > I'll try to pay more attention and see if I can isolate a test case if
>> the
>> > problem recurs. (I was kind of hoping someone would have a solution!)
>> >
>> > --
>> >
>> > Fred Morris
>> >
>> > On Fri, 16 Jun 2023, Crist Clark wrote:
>> >>
>> >> That should return a NXDOMAIN. Returning SERVFAIL is never a normal
>> >> RPZ action. Something is wrong with your configuration.
>> >>
>> >> On Fri, Jun 16, 2023 at 1:39?PM
>> >> <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
>> >>>
>> >>> For monitoring reasons I try to change the return code of a domain
>> >>> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration
>> >>> of
>> >>> BIND9.16.42 as follows:
>> >>>
>> >>> example.com IN CNAME.
>> >>>
>> >>> *.example.com IN CNAME .
>> >>>
>> >>> But it still doesn't work, I still have the message " SERVFAIL", is
>> >>> it feasible or not please ?
>> >>>
>> >
>> > ------------------------------
>> >
>> > Message: 4
>> > Date: Sat, 17 Jun 2023 07:22:50 +0200
>> > From: Ond?ej Sur? <ond...@isc.org<mailto:ond...@isc.org>>
>> > To: Fred Morris <m3...@m3047.net<mailto:m3...@m3047.net>>
>> > Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>> > Message-ID:
>> > <f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org<mailto:
>> f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org>>
>> > Content-Type: text/plain; charset="us-ascii"
>> >
>> > An HTML attachment was scrubbed...
>> > URL:
>> > <
>> https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.htm
>> >
>> > -------------- next part --------------
>> > A non-text attachment was scrubbed...
>> > Name: favicon.ico
>> > Type: image/x-icon
>> > Size: 766 bytes
>> > Desc: not available
>> > URL:
>> > <
>> https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.bin
>> >
>> >
>> > ------------------------------
>> >
>> > Subject: Digest Footer
>> >
>> > _______________________________________________
>> > ISC funds the development of this software with paid support
>> subscriptions.
>> > Contact us at https://www.isc.org/contact/ for more information.
>> >
>> > bind-users mailing list
>> > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> >
>> >
>> > ------------------------------
>> >
>> > End of bind-users Digest, Vol 4262, Issue 1
>> > *******************************************
>> > --
>> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from
>> > this list
>> >
>> > ISC funds the development of this software with paid support
>> subscriptions.
>> > Contact us at https://www.isc.org/contact/ for more information.
>> >
>> >
>> > bind-users mailing list
>> > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> >
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
