Thank you very much, it now works fine, just another question please, what is the recommended open source tool to test the performance of a DNS server i.e. capture packets and then send them to a DNS server to measure response time, latency, cache usage etc. Regards
De : Greg Choules <gregchoules+bindus...@googlemail.com> Envoyé : lundi 19 juin 2023 16:56 À : Lee <ler...@gmail.com>; RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com> Cc : bind-users@lists.isc.org Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz From the correct email alias this time! On Mon, 19 Jun 2023 at 16:50, Greg Choules <gregchou...@googlemail.com<mailto:gregchou...@googlemail.com>> wrote: Hi Lee/Sami. `break-dnssec yes;` *may* also be needed in some cases. But not here as the zone isn't signed anyway. The reason that "example.com" works but "antlauncher.com<http://antlauncher.com>" doesn't is down to BIND needing to perform recursion and get an answer before RPZ kicks in and overwrites it (unless you specify `qname-wait-recurse no;`). "example.com" actually gets an answer (from IANA) but "antlauncher.com<http://antlauncher.com>" gets REFUSED. Wireshark it and see. By the way, I have been testing this on 9.18.15 Cheers, Greg On Mon, 19 Jun 2023 at 16:10, Lee <ler...@gmail.com<mailto:ler...@gmail.com>> wrote: On 6/19/23, sami.rahal wrote: > Thank you Greg > > I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it > not working You're missing "break-dnssec yes" on your response-policy stanza? You need something like response-policy { zone "rpz.mozilla"; zone "rpz.zone"; } break-dnssec yes recursive-only no qname-wait-recurse no; # enable rpz # By default, RPZ actions are applied only to DNS requests that either do not # request DNSSEC metadata (DO=0) or when no DNSSEC records are available for # request name in the original zone (not the response policy zone). # This default can be changed for all response policy zones in a view with a # break-dnssec yes clause. In that case, RPZ actions are applied regardless # of DNSSEC. # # zone "rpz.mozilla"; # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https Regards, Lee > > I use CentOS7 with BIND9.16.41 > > > > grep antlauncher db.rpz > > antlauncher.com<http://antlauncher.com> CNAME . > > *.antlauncher.com<http://antlauncher.com> CNAME . > > > > grep example db.rpz > > example.com IN CNAME . > > *.example.com IN CNAME . > > > > dig @0 foo.antlauncher.com<http://foo.antlauncher.com> > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 > foo.antlauncher.com<http://foo.antlauncher.com> ; (1 server found) ;; global > options: +cmd ;; Got > answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;foo.antlauncher.com<http://foo.antlauncher.com>. IN A > > > > ;; Query time: 241 msec > > ;; SERVER: 127.0.0.1#53(0.0.0.0) > > ;; WHEN: Mon Jun 19 10:52:22 CET 2023 > > ;; MSG SIZE rcvd: 48 > > > > # dig @0 example.com > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1 > server found) ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;example.com. IN A > > > > ;; ADDITIONAL SECTION: > > siteblockeddb. 1 IN SOA LOCALHOST. > need.to.know.only. 2016011100 43200 900 1814400 7200 > > > > ;; Query time: 347 msec > > ;; SERVER: 127.0.0.1#53(0.0.0.0) > > ;; WHEN: Mon Jun 19 10:52:36 CET 2023 > > ;; MSG SIZE rcvd: 115 > > > > > De : Greg Choules > <gregchoules+bindus...@googlemail.com<mailto:gregchoules%2bbindus...@googlemail.com>> > Envoyé : lundi 19 juin 2023 15:12 > À : RAHAL Sami SOFRECOM > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> > Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > Hi Sami. > That's not what I said. > Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but > it's not something I would do. > > Cheers, Greg > > On Mon, 19 Jun 2023 at 12:40, > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > wrote: > Thank you Greg > So if I understand correctly if we receive a servfail return code we can not > modify this code by nxdomain with the rpz configuration? > Regards > > De : Greg Choules > <gregchoules+bindus...@googlemail.com<mailto:gregchoules%2bbindus...@googlemail.com><mailto:gregchoules%2bbindus...@googlemail.com<mailto:gregchoules%252bbindus...@googlemail.com>>> > Envoyé : lundi 19 juin 2023 12:02 > À : RAHAL Sami SOFRECOM > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > Cc : > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > That's because this domain is broken. The NS for it are: > antlauncher.com<http://antlauncher.com><http://antlauncher.com>: type NS, > class IN, ns > ns1626.ztomy.com<http://ns1626.ztomy.com><http://ns1626.ztomy.com> > (204.11.56.26) > antlauncher.com<http://antlauncher.com><http://antlauncher.com>: type NS, > class IN, ns > ns2626.ztomy.com<http://ns2626.ztomy.com><http://ns2626.ztomy.com> > (204.11.57.26) > No matter what query you send them (so far) they respond with REFUSED and > claim not to be authoritative for > "antlauncher.com<http://antlauncher.com><http://antlauncher.com>". > > Personally I would live with the SERVFAIL because it tells you that > something is wrong, not just that it doesn't exist. Then try to contact the > people who own this domain and tell them it is broken. > > Cheers, Greg > > On Mon, 19 Jun 2023 at 10:33, > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > wrote: > Hello > Thank you for these details Greg, by the way I worked on a problem on one of > my resolvers and there are no errors of type "SERVFAIL" currently for valid > domain names but I receive servfail for this domain name > "antlauncher.com<http://antlauncher.com><http://antlauncher.com>" that's why > I wanted to change the > return code for this domain name to "NXDOMAIN" so as not to distort the > monitoring result . > Regards > De : Greg Choules > <gregchoules+bindus...@googlemail.com<mailto:gregchoules%2bbindus...@googlemail.com><mailto:gregchoules%2bbindus...@googlemail.com<mailto:gregchoules%252bbindus...@googlemail.com>>> > Envoyé : lundi 19 juin 2023 10:03 > À : RAHAL Sami SOFRECOM > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > Cc : > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > Hi Sami. > Firstly, a couple of definitions: > NXDOMAIN is a response from an authoritative server (or a resolver because > it cached it). It is a positive confirmation that "this name does not > exist". It means that the QNAME in the query cannot be found, for any record > type. > SERVFAIL is a response from a recursive server meaning "I tried my best to > get a response to your query but I just failed". > > So if your monitoring tool, whatever it is, is receiving SERVFAIL responses > from your DNS server then you need to fix whatever is causing those in the > server. > Causes of SERVFAIL could be that your server cannot contact the > authoritative server(s) that should know the answer. Or it might be because > your server is trying to do DNSSEC validation and that is failing. > The best way to know *why* you are getting SERVFAIL would be to take a > packet capture that includes the client queries to the server and any > queries the server makes to try and get answers, plus all the responses. > Please do that and share the results, using real domains, not examples. > > Hope that helps, Greg > > > On Mon, 19 Jun 2023 at 09:39, > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > wrote: > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name > "antlauncher.com<http://antlauncher.com><http://antlauncher.com>" > regards Rahal > > -----Message d'origine----- > De : bind-users > <bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org><mailto:bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>>> > De la part de > bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org><mailto:bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>> > Envoyé : samedi 17 juin 2023 06:23 > À : > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > > bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org><mailto:bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>> > > You can reach the person managing the list at > > bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org><mailto:bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org>> > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. replace "SERVFAIL" to "NXDOMAIN" with rpz > > (sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>) > 2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) > 3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) > 4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 16 Jun 2023 20:39:43 +0000 > From: > sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> > To: > "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>" > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>> > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > <9c4465dc103645149093f4d3f60cf...@sofrecom.com<mailto:9c4465dc103645149093f4d3f60cf...@sofrecom.com><mailto:9c4465dc103645149093f4d3f60cf...@sofrecom.com<mailto:9c4465dc103645149093f4d3f60cf...@sofrecom.com>>> > Content-Type: text/plain; charset="us-ascii" > > > Hello > For monitoring reasons I try to change the return code of a domain name from > "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 > as follows: > example.com IN CNAME. > *.example.com IN CNAME . > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > Kind regards > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm> > > ------------------------------ > > Message: 2 > Date: Fri, 16 Jun 2023 20:29:16 -0700 > From: Crist Clark > <cjc+bind-us...@pumpky.net<mailto:cjc%2bbind-us...@pumpky.net><mailto:cjc%2bbind-us...@pumpky.net<mailto:cjc%252bbind-us...@pumpky.net>>> > To: > sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> > Cc: > "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>" > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > > <CAAcrURK2=+uqQ+_AvVbiAV2jpagOhd=ozrfq_scazbn-ruz...@mail.gmail.com<mailto:ozrfq_scazbn-ruz...@mail.gmail.com><mailto:ozrfq_scazbn-ruz...@mail.gmail.com<mailto:ozrfq_scazbn-ruz...@mail.gmail.com>>> > Content-Type: text/plain; charset="utf-8" > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ > action. Something is wrong with your configuration. > > On Fri, Jun 16, 2023 at 1:39?PM > <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> > wrote: > >> >> >> Hello >> >> For monitoring reasons I try to change the return code of a domain >> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration >> of >> BIND9.16.42 as follows: >> >> example.com IN CNAME. >> >> *.example.com IN CNAME . >> >> But it still doesn't work, I still have the message " SERVFAIL", is >> it feasible or not please ? >> >> Kind regards >> >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> >> https://lists.isc.org/mailman/listinfo/bind-users >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm> > > ------------------------------ > > Message: 3 > Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT) > From: Fred Morris > <m3...@m3047.net<mailto:m3...@m3047.net><mailto:m3...@m3047.net<mailto:m3...@m3047.net>>> > To: > "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>" > <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > <alpine.LSU.2.21.2306162134190.27806@flame.m3047<mailto:alpine.LSU.2.21.2306162134190.27806@flame.m3047<mailto:alpine.LSU.2.21.2306162134190.27806@flame.m3047>>> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Admittedly, since I'm writing software to do "off label" stuff with DNS I > make mistakes. But I have seen things along this line (interactions between > RPZ and regular resolution in the context of "broken" domains): in some > cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing > RPZ. > > I'll try to pay more attention and see if I can isolate a test case if the > problem recurs. (I was kind of hoping someone would have a solution!) > > -- > > Fred Morris > > On Fri, 16 Jun 2023, Crist Clark wrote: >> >> That should return a NXDOMAIN. Returning SERVFAIL is never a normal >> RPZ action. Something is wrong with your configuration. >> >> On Fri, Jun 16, 2023 at 1:39?PM >> <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com><mailto:sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>>> >> wrote: >>> >>> For monitoring reasons I try to change the return code of a domain >>> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration >>> of >>> BIND9.16.42 as follows: >>> >>> example.com IN CNAME. >>> >>> *.example.com IN CNAME . >>> >>> But it still doesn't work, I still have the message " SERVFAIL", is >>> it feasible or not please ? >>> > > ------------------------------ > > Message: 4 > Date: Sat, 17 Jun 2023 07:22:50 +0200 > From: Ond?ej Sur? > <ond...@isc.org<mailto:ond...@isc.org><mailto:ond...@isc.org<mailto:ond...@isc.org>>> > To: Fred Morris > <m3...@m3047.net<mailto:m3...@m3047.net><mailto:m3...@m3047.net<mailto:m3...@m3047.net>>> > Cc: > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > <f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org<mailto:f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org><mailto:f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org<mailto:f1db32b3-cd74-44f3-8589-ed3386cbc...@isc.org>>> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.htm> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: favicon.ico > Type: image/x-icon > Size: 766 bytes > Desc: not available > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20230617/a5b1eca8/attachment.bin> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > bind-users mailing list > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > https://lists.isc.org/mailman/listinfo/bind-users > > > ------------------------------ > > End of bind-users Digest, Vol 4262, Issue 1 > ******************************************* > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org><mailto:bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users