Re: rpz_rewrite(): failure

2023-05-15 Thread Wilfred Sarmiento via bind-users 
Hi Darren,

Sorry for late response, see below scrubbed config;

We updated the bind to 9.18.14 but still experienced the same issue.


controls {

inet 127.0.0.1 port 953 allow {

127.0.0.1/32;

} keys {

"rndc-key";

};

};

logging {

channel "default_syslog" {

file "/var/local/syslog" versions unlimited size 2147483648;

severity warning;

print-time yes;

print-severity yes;

print-category yes;

};

category "resolver" {

"default_syslog";

};

category "queries" {

"default_syslog";

};

category "lame-servers" {

"null";

};

};

options {

directory "/var/local/bind";

recursive-clients 1;

statistics-file "/var/local/bind/etc/named.stats";

version "Query Not Allowed.";

allow-recursion {

"globeIP";

};

response-policy {

zone "rpzblacklisted";

};

synth-from-dnssec no;

allow-query {

"globeIP";

};

zone-statistics yes;

};

key "rndc-key" {

algorithm "hmac-md5";

secret
"";

};

server fe80::/10 {

bogus yes;

};

zone "." in {

type hint;

file "namedb/db.cache";

};

zone "localhost" IN {

type master;

file "namedb/db.localhost";

};

zone "0.0.127.in-addr.arpa" in {

type master;

file "namedb/db.127.0.0";

notify no;

};

zone "rpzblacklisted" {

type slave;

file "/var/local/bind/db.rpzblacklisted";

masters {

x.x.x.x;

};

};

Thank you,
Wil

On Wed, May 10, 2023 at 6:31 PM Darren Ankney 
wrote:

> Hi Wilfred,
>
> You might want to consider updating your BIND server.  The latest
> 9.18.x is 9.18.14.  There have been many fixes between 9.18.2 and
> 9.18.14 as can be seen here:
> https://bind9.readthedocs.io/en/v9.18.14/notes.html  Also, when
> testing, you may want to consider using dig as it provides far more
> detail.  nslookup usage is no longer recommended as it has been
> deprecated.
>
> As to this specific issue, I'm not sure.  You might get more help from
> others, however, if you share your configuration.  You can get a
> configuration scrubbed of keys using `named-checkconf -px`
>
> Thank you,
>
> Darren Ankney
>
> On Tue, May 9, 2023 at 9:39 AM Wilfred Sarmiento via bind-users
>  wrote:
> >
> > Hi Bind Users,
> >
> > Any one familiar with the error we encountered on DNS BIND 9.18.2 Ubuntu
> for DNS Caching, below;
> >
> > We are using RPZ for redirecting domains (porn sites) where we already
> have 20k+ entries.
> > The domain (globem2m.com.ph) from below logs is not in the RPZ list but
> was processed for RPZ QNAME rewrite, based on the logs, and query to that
> domain results to SERVFAIL.
> > The issue is isolated to several domains only including globem2m.com.ph,
> all other queries to different domains are successful.
> >
> > To resolve this issue, we have to flush cache or restart the BIND
> service.
> >
> > root@bind# nslookup globem2m.com.ph 
> >
> >
> > ** server can't find globem2m.com.ph: SERVFAIL
> >
> >
> > Trace logs:
> >
> > : query (cache) 'globem2m.com.ph/A/IN' approved
> >
> > : rpz QNAME rewrite globem2m.com.ph stop on qresult in rpz_rewrite():
> failure
> >
> > : query failed (failure) for globem2m.com.ph/IN/A at query.c:7657
> >
> > fetch completed at resolver.c:4053 for globem2m.com.ph/A in 0.00:
> failure/success [domain:com.ph
> ,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
> >
> > : reset client
> >
> > : servfail cache hit globem2m.com.ph/A (CD=0)
> >
> > : query failed (SERVFAIL) for globem2m.com.ph/IN/A at query.c:6949
> >
> > : reset client
> >
> >
> > Thank you,
> > Wil
> >
> >
> >
> >
> > This e-mail message (including attachments, if any) is intended for the
> use of the individual or the entity to whom it is addressed and may contain
> information that is privileged, proprietary, confidential and exempt from
> disclosure. If you are not the intended recipient, you are notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify the sender and delete this E-mail message immediately.
> >
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
This e-mail message (including attachments, if any) is intended for the use 
of the individual or the entity to whom it is addressed and may contain 
information that is privileged, proprietary, confidential and exempt from 
disclosure. If you are not the intended recipient, you are notified that 
any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender and delete this E-mail message immediately.


-- 
Visit

RE: host restriction

2023-05-15 Thread John W. Blue via bind-users 
Zoltan,

There may be another way to make this work but this is what comes to my mine:  
acl’s in a view.

https://kb.isc.org/docs/aa-00851

# named.conf
acl google-is-good { 192.168.7.0/24; localhost; };
acl google-is-evil   { 192.168.8.0/24; };

view google-good {
match-clients { google-is-good; };
allow-recursion { any; };
forwarders {
8.8.8.8;
};
};

view google-evil {
match-clients { google-is-evil; };
allow-recursion { any; };
};

You *might* be able to whack the acl down to like a /28 or a /29 while keeping 
your DHCP scope at a /24.  This will allow you to perform view testing without 
needing to rip n replace DHCP configs.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kereszt 
Vezeték
Sent: Monday, May 15, 2023 1:58 PM
To: bind-users@lists.isc.org
Subject: host restriction

Hi Everybody

Can someone help me with the following problem ?
I have a dns server in my private network with a local domain. The dns server 
forward the public request to the google dns server . I wold like separate 
hosts in the inside network.
One group allow only the local host resolve, not forward to the 8.8.8.8 .Other 
group allow the local hosts resolve, and able to forward to the google dns 
server.
Are there any way to solve this problem with bind9 ?
Local subnet 192.168.1.0/24
192.168.1.10 allow forward to 8.8.8.8
192.168.1.11 allow forward to 8.8.8.8

192.168.1.20 disable forward 8.8.8.8
192.168.1.21 disable forward 8.8.8.8

Thank you
regards
Zoltan
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

host restriction

2023-05-15 Thread Kereszt Vezeték 
Hi Everybody

Can someone help me with the following problem ?
I have a dns server in my private network with a local domain. The dns
server forward the public request to the google dns server . I wold like
separate hosts in the inside network.
One group allow only the local host resolve, not forward to the 8.8.8.8
.Other group allow the local hosts resolve, and able to forward to the
google dns server.
Are there any way to solve this problem with bind9 ?
Local subnet 192.168.1.0/24
192.168.1.10 allow forward to 8.8.8.8
192.168.1.11 allow forward to 8.8.8.8

192.168.1.20 disable forward 8.8.8.8
192.168.1.21 disable forward 8.8.8.8

Thank you
regards
Zoltan
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users