Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
Infact what I observed that the intermediate DNS servers are not forwarding
he queries for .com and .net servers to my RPZ servers and it tries
resolves directly on his own from TLD servers

192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be
forwarded to 192.168.3.44

*Which is not happening.*

dig 003bbhq9.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.  IN  A

*;; AUTHORITY SECTION:*
*com.530 IN  SOA a.gtld-servers.net
. nstld.verisign-grs.com
. 1533954938 1800 900 604800 86400*

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114


On Sat, Aug 11, 2018 at 7:57 AM Blason R  wrote:

> Ok - Now I added like this and it disappeared.
>
> response-policy { zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block"; } qname-wait-recurse
> no break-dnssec no;
>
>
> On Sat, Aug 11, 2018 at 7:51 AM Blason R  wrote:
>
>> This is not accepting and giving my syntax error.
>>
>> named-checkconf /etc/bind/named.conf
>> /etc/bind/named.conf.options:29: syntax error near '}'
>>
>>
>> And here is I added
>>
>> response-policy { zone "whitelist.allow" policy passthru;
>> zone "malware.trap";
>> zone "ransomwareips.block"; } qname-wait-recurse
>> no break-dnssec no; };
>>
>>
>>
>> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington  wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA512
>>>
>>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
>>> > Nah I dont think that is the answer since you need a termination after
>>> > clause.
>>>
>>> Did you actually try the answer below?
>>>
>>>
>>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:
>>>
>>> > Should be:
>>>
>>>
>>> > response-policy {zone "whitelist.allow" policy passthru;
>>> > zone "malware.trap";
>>> > zone "ransomwareips.block";
>>> > } qname-wait-recurse no break-dnssec no;
>>>
>>>
>>>
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2.0.14 (GNU/Linux)
>>>
>>> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
>>> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
>>> =VwoG
>>> -END PGP SIGNATURE-
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
Ok - Now I added like this and it disappeared.

response-policy { zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block"; } qname-wait-recurse no
break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R  wrote:

> This is not accepting and giving my syntax error.
>
> named-checkconf /etc/bind/named.conf
> /etc/bind/named.conf.options:29: syntax error near '}'
>
>
> And here is I added
>
> response-policy { zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block"; } qname-wait-recurse
> no break-dnssec no; };
>
>
>
> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
>> > Nah I dont think that is the answer since you need a termination after
>> > clause.
>>
>> Did you actually try the answer below?
>>
>>
>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:
>>
>> > Should be:
>>
>>
>> > response-policy {zone "whitelist.allow" policy passthru;
>> > zone "malware.trap";
>> > zone "ransomwareips.block";
>> > } qname-wait-recurse no break-dnssec no;
>>
>>
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.14 (GNU/Linux)
>>
>> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
>> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
>> =VwoG
>> -END PGP SIGNATURE-
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

response-policy { zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block"; } qname-wait-recurse no
break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> > Nah I dont think that is the answer since you need a termination after
> > clause.
>
> Did you actually try the answer below?
>
>
> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:
>
> > Should be:
>
>
> > response-policy {zone "whitelist.allow" policy passthru;
> > zone "malware.trap";
> > zone "ransomwareips.block";
> > } qname-wait-recurse no break-dnssec no;
>
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
> =VwoG
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:

> Should be:


> response-policy {zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block";
> } qname-wait-recurse no break-dnssec no;



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
=VwoG
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
Hello,

Well even though the entry is there in RPZ zone it is still being returned
as nxdomain.

On Fri, Aug 10, 2018, 3:01 PM WILSON Sam  wrote:

> I'm sorry, I don't understand the question.  Your message shows a query
> and an NXDOMAIN response.  That seems to be correct.  I don't know whether
> your RPZ configuration is supposed to change that.
>
> Sam
>
>
> > On 9 Aug 2018, at 18:25, Blason R  wrote:
> >
> > Is it a big?? I mean certain domains from my rpz feeds are properly
> getting resolved while few are giving nxdomain though they appear in zone.
> >
> > On Thu, Aug 9, 2018, 8:57 PM Sam Wilson  wrote:
> > On 2018-08-09 14:00:55 +, Blason R said:
> >
> > > For example this one.
> > >
> > > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> > > 0351dag.com. (29)
> > > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> > > NXDomain 0/1/0 (102)
> >
> > $ dig 0351dag.com
> >
> > ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;0351dag.com.   IN  A
> >
> > ;; AUTHORITY SECTION:
> > com.900 IN  SOA a.gtld-servers.net.
> nstld.verisign-grs.com.
> > 1533828275 1800 900 604800 86400
> >
> > Sam
> >
> > --
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Sam Wilson
> Communications Infrastructure Section, IT Infrastructure
> Information Services, The University of Edinburgh
> Edinburgh, Scotland, UK
>
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread WILSON Sam 
I'm sorry, I don't understand the question.  Your message shows a query and an 
NXDOMAIN response.  That seems to be correct.  I don't know whether your RPZ 
configuration is supposed to change that.

Sam


> On 9 Aug 2018, at 18:25, Blason R  wrote:
> 
> Is it a big?? I mean certain domains from my rpz feeds are properly getting 
> resolved while few are giving nxdomain though they appear in zone.
> 
> On Thu, Aug 9, 2018, 8:57 PM Sam Wilson  wrote:
> On 2018-08-09 14:00:55 +, Blason R said:
> 
> > For example this one.
> > 
> > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 
> > 0351dag.com. (29)
> > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 
> > NXDomain 0/1/0 (102)
> 
> $ dig 0351dag.com
> 
> ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;0351dag.com.   IN  A
> 
> ;; AUTHORITY SECTION:
> com.900 IN  SOA a.gtld-servers.net. 
> nstld.verisign-grs.com. 
> 1533828275 1800 900 604800 86400
> 
> Sam
> 
> -- 
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Sam Wilson
Communications Infrastructure Section, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
Hello All,

I have been debugging my issue from last 30+ hrs without luck and dang its
something related to forwarding. Again here is my quick scenario

I have Windows DNS Server 192.168.1.42 Has Forwarder set to 192.168.1.179
[BIND/RPZ]

Now certain domains when queried from end user e.g 192.168.1.100 has DNS
set to  192.168.1.42 does not get resolved at all. While I troubleshooting
I observed that may be 192.168.1.42 has got root zone "." and is trying to
resolve locally instead of forwarding. I noticed this issue is happening
randomly with any domains but mostly it observed for .com and .net domain
entries.

Again I tried replacing 192.168.1.42 with Linux BIND server and its same
behavior so I don't think its related with Windows.

I want all other queries should strictly forward to my RPZ forwarding
server. How do I do that can someone help me in troubleshooting? I can
provide the logs and config.

Or if someone has a similar setup can try simulating at their end and
confirm, plz?



On Fri, Aug 10, 2018 at 1:17 PM Blason R  wrote:

> Nah I dont think that is the answer since you need a termination after
> clause.
>
>
> Thanks and Regards,
> Lionel F
>
> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:
>
>> Should be:
>>
>> response-policy {zone "whitelist.allow" policy passthru;
>> zone "malware.trap";
>> zone "ransomwareips.block";
>> } qname-wait-recurse no break-dnssec no;
>>
>> Vadim
>>
>> On 09 Aug 2018, at 20:50, Blason R  wrote:
>>
>> This is the error I am getting
>>
>> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'
>>
>> On Fri, Aug 10, 2018 at 9:10 AM Blason R  wrote:
>>
>>> Hi there,
>>>
>>> Where it should appear? ARM says it should appear inl Global-section of
>>> response-policy which I tried but getting error.
>>>
>>> response-policy {zone "whitelist.allow" policy passthru;
>>> zone "malware.trap";
>>> zone "ransomwareips.block";
>>> };
>>> qname-wait-recurse no;
>>> break-dnssec no;
>>>
>>>
>>> On Fri, Aug 10, 2018 at 8:09 AM Blason R  wrote:
>>>
 Well mine is bit different. I have RPZ and almost 40+ RPZ entries
 wall gardened. And in my scenario users are talking to windows based AD/DNS
 server and then that server has forwarder set to RPZ.


1. First issue; I observed certain entries from BIND/RPZ zone are
being resolved by windows server directly to their original IPs and not 
 the
wall-gardened IP. Where I believe once the forwarder is set all those
queries should have been routed to RPZ server? [If anyone here having
Windows DNS expertise, pls help]
2. And another, certain RPZ queries if queried through AD/DNS
server are not at all getting resolved. When I captured packets on 
 BIND/RPZ
server I see that those domains are getting NXdomain by RPZ and not sure
why.

 Thanks and Regards,
 Lionel F

 On Thu, Aug 9, 2018 at 11:08 PM Bob Harold  wrote:

>
> On Thu, Aug 9, 2018 at 9:31 AM Blason R  wrote:
>
>> For example this one.
>>
>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
>> 0351dag.com. (29)
>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
>> NXDomain 0/1/0 (102)
>>
>
> With RPZ, the name is looked up normally first, and only if there is
> an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns
> that and does not use RPZ.
> If that is not what you want, then you probably want to set the option:
> qname-wait-recurse no;
>
> --
> Bob Harold
>
>
>
>
>>
>> On Thu, Aug 9, 2018 at 6:59 PM Blason R  wrote:
>>
>>> Hi Bind-Users,
>>>
>>> I would really appreciate if someone can help me understanding my
>>> issue with BIND RPZ server?
>>>
>>> I have one windows server say 192.168.1.42 and then RPZ server with
>>> 192.168.1.179. I noticed that there are certain domains which are not
>>> getting resolved from end users.
>>>
>>> Ideally since those end user has 192.168.1.42 DNS Server set and has
>>> forwarder set to 192.168.1.179 should forward all queries to 1.179, 
>>> right?
>>>
>>> But certain domains from my response-policy are even though
>>> wall-gardened those are being catered as NXdomain.
>>>
>>> Anything I am missing pertaining to RPZ?
>>>
>>> Or if I am querying all those domains directly to RPZ server then I
>>> am getting proper answer. This issue is noticed when I have forwarder
>>> server is between
>>>
>>> options {
>>> version "test";
>>> allow-query { localhost;subnets; };
>>> directory "/var/cache/bind";
>>> recursion yes;
>>> querylog yes;
>>>

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Blason R 
Nah I dont think that is the answer since you need a termination after
clause.


Thanks and Regards,
Lionel F

On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov  wrote:

> Should be:
>
> response-policy {zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block";
> } qname-wait-recurse no break-dnssec no;
>
> Vadim
>
> On 09 Aug 2018, at 20:50, Blason R  wrote:
>
> This is the error I am getting
>
> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'
>
> On Fri, Aug 10, 2018 at 9:10 AM Blason R  wrote:
>
>> Hi there,
>>
>> Where it should appear? ARM says it should appear inl Global-section of
>> response-policy which I tried but getting error.
>>
>> response-policy {zone "whitelist.allow" policy passthru;
>> zone "malware.trap";
>> zone "ransomwareips.block";
>> };
>> qname-wait-recurse no;
>> break-dnssec no;
>>
>>
>> On Fri, Aug 10, 2018 at 8:09 AM Blason R  wrote:
>>
>>> Well mine is bit different. I have RPZ and almost 40+ RPZ entries
>>> wall gardened. And in my scenario users are talking to windows based AD/DNS
>>> server and then that server has forwarder set to RPZ.
>>>
>>>
>>>1. First issue; I observed certain entries from BIND/RPZ zone are
>>>being resolved by windows server directly to their original IPs and not 
>>> the
>>>wall-gardened IP. Where I believe once the forwarder is set all those
>>>queries should have been routed to RPZ server? [If anyone here having
>>>Windows DNS expertise, pls help]
>>>2. And another, certain RPZ queries if queried through AD/DNS server
>>>are not at all getting resolved. When I captured packets on BIND/RPZ 
>>> server
>>>I see that those domains are getting NXdomain by RPZ and not sure why.
>>>
>>> Thanks and Regards,
>>> Lionel F
>>>
>>> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold  wrote:
>>>

 On Thu, Aug 9, 2018 at 9:31 AM Blason R  wrote:

> For example this one.
>
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> 0351dag.com. (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> NXDomain 0/1/0 (102)
>

 With RPZ, the name is looked up normally first, and only if there is an
 answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that
 and does not use RPZ.
 If that is not what you want, then you probably want to set the option:
 qname-wait-recurse no;

 --
 Bob Harold




>
> On Thu, Aug 9, 2018 at 6:59 PM Blason R  wrote:
>
>> Hi Bind-Users,
>>
>> I would really appreciate if someone can help me understanding my
>> issue with BIND RPZ server?
>>
>> I have one windows server say 192.168.1.42 and then RPZ server with
>> 192.168.1.179. I noticed that there are certain domains which are not
>> getting resolved from end users.
>>
>> Ideally since those end user has 192.168.1.42 DNS Server set and has
>> forwarder set to 192.168.1.179 should forward all queries to 1.179, 
>> right?
>>
>> But certain domains from my response-policy are even though
>> wall-gardened those are being catered as NXdomain.
>>
>> Anything I am missing pertaining to RPZ?
>>
>> Or if I am querying all those domains directly to RPZ server then I
>> am getting proper answer. This issue is noticed when I have forwarder
>> server is between
>>
>> options {
>> version "test";
>> allow-query { localhost;subnets; };
>> directory "/var/cache/bind";
>> recursion yes;
>> querylog yes;
>> forwarders {
>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
>>  };
>> //  dnssec-validation auto;
>> request-ixfr yes;
>> auth-nxdomain no;# conform to RFC1035
>> //  listen-on-v6 { any; };
>> listen-on port 53 { any; };
>> listen-on port 15455 {any;};
>> response-policy { zone "whitelist.allow" policy passthru;
>> zone "wg.block";
>> zone "bad.trap";
>> zone "block.tld";
>> zone "ransomwareips.block";  };
>> };
>>
>> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on RPZ sever, bit urgent

2018-08-10 Thread Vadim Pavlov via bind-users 
Should be:

response-policy {zone "whitelist.allow" policy passthru;
zone "malware.trap";
zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;

Vadim
> On 09 Aug 2018, at 20:50, Blason R  wrote:
> 
> This is the error I am getting
> 
> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'
> 
> On Fri, Aug 10, 2018 at 9:10 AM Blason R  > wrote:
> Hi there,
> 
> Where it should appear? ARM says it should appear inl Global-section of 
> response-policy which I tried but getting error.
> 
> response-policy {zone "whitelist.allow" policy passthru;
> zone "malware.trap";
> zone "ransomwareips.block";
> };
> qname-wait-recurse no;
> break-dnssec no;
> 
> 
> On Fri, Aug 10, 2018 at 8:09 AM Blason R  > wrote:
> Well mine is bit different. I have RPZ and almost 40+ RPZ entries wall 
> gardened. And in my scenario users are talking to windows based AD/DNS server 
> and then that server has forwarder set to RPZ.
> 
> First issue; I observed certain entries from BIND/RPZ zone are being resolved 
> by windows server directly to their original IPs and not the wall-gardened 
> IP. Where I believe once the forwarder is set all those queries should have 
> been routed to RPZ server? [If anyone here having Windows DNS expertise, pls 
> help]
> And another, certain RPZ queries if queried through AD/DNS server are not at 
> all getting resolved. When I captured packets on BIND/RPZ server I see that 
> those domains are getting NXdomain by RPZ and not sure why.
> Thanks and Regards,
> Lionel F
> 
> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold  > wrote:
> 
> On Thu, Aug 9, 2018 at 9:31 AM Blason R  > wrote:
> For example this one.
> 
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 
> 0351dag.com . (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 
> 0/1/0 (102)
> 
> With RPZ, the name is looked up normally first, and only if there is an 
> answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that 
> and does not use RPZ.
> If that is not what you want, then you probably want to set the option:
> qname-wait-recurse no;
> 
> -- 
> Bob Harold
> 
> 
>  
> 
> On Thu, Aug 9, 2018 at 6:59 PM Blason R  > wrote:
> Hi Bind-Users,
> 
> I would really appreciate if someone can help me understanding my issue with 
> BIND RPZ server?
> 
> I have one windows server say 192.168.1.42 and then RPZ server with 
> 192.168.1.179. I noticed that there are certain domains which are not getting 
> resolved from end users. 
> 
> Ideally since those end user has 192.168.1.42 DNS Server set and has 
> forwarder set to 192.168.1.179 should forward all queries to 1.179, right?
> 
> But certain domains from my response-policy are even though wall-gardened 
> those are being catered as NXdomain.
> 
> Anything I am missing pertaining to RPZ?
> 
> Or if I am querying all those domains directly to RPZ server then I am 
> getting proper answer. This issue is noticed when I have forwarder server is 
> between
> 
> options {
> version "test";
> allow-query { localhost;subnets; };
> directory "/var/cache/bind";
> recursion yes;
> querylog yes;
> forwarders {
> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
>  };
> //  dnssec-validation auto;
> request-ixfr yes;
> auth-nxdomain no;# conform to RFC1035
> //  listen-on-v6 { any; };
> listen-on port 53 { any; };
> listen-on port 15455 {any;};
> response-policy { zone "whitelist.allow" policy passthru;
> zone "wg.block";
> zone "bad.trap";
> zone "block.tld";
> zone "ransomwareips.block";  };
> };
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users