Re: CNAME as an alias to a TXT record
I would expect so. HECATE:~ m3047$ dig points-to-m3047.net.m3047. ; <<>> DiG 9.8.3-P1 <<>> points-to-m3047.net.m3047. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50873 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;points-to-m3047.net.m3047. IN A ;; ANSWER SECTION: POINTS-TO-M3047.NET.m3047. 600 IN CNAME M3047.NET. m3047.net. 7200IN A 209.221.140.128 ;; AUTHORITY SECTION: m3047.net. 6334 IN NS dns1.encirca.net. m3047.net. 6334IN NS dns2.encirca.net. ;; ADDITIONAL SECTION: dns1.encirca.net. 157334 IN A 108.166.170.106 dns2.encirca.net. 157334 IN A 64.62.200.132 ;; Query time: 69 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Mon Nov 4 12:40:17 2019 ;; MSG SIZE rcvd: 197 HECATE:~ m3047$ dig points-to-m3047.net.m3047. txt ; <<>> DiG 9.8.3-P1 <<>> points-to-m3047.net.m3047. txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46861 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;points-to-m3047.net.m3047. IN TXT ;; ANSWER SECTION: POINTS-TO-M3047.NET.m3047. 600 IN CNAME M3047.NET. m3047.net. 7200 IN TXT "v=spf1 ip4:209.221.140.128/31 +mx -all" ;; AUTHORITY SECTION: m3047.net. 6329IN NS dns1.encirca.net. m3047.net. 6329IN NS dns2.encirca.net. ;; ADDITIONAL SECTION: dns1.encirca.net. 157329 IN A 108.166.170.106 dns2.encirca.net. 157329 IN A 64.62.200.132 ;; Query time: 108 msec ;; SERVER: 10.0.0.220#53(10.0.0.220) ;; WHEN: Mon Nov 4 12:40:22 2019 ;; MSG SIZE rcvd: 232 On Mon, 4 Nov 2019, Computerisms Corporation wrote: Hi, I am wondering if it is possible to create a CNAME in one zone to resolve as a TXT record in another zone. Can't find anything that says it will work, but can't find any thing that says it won't, either. For example, I have added in the zone file for dom1: _acme-challenge CNAME _acme-challenge.dom2.com. and then in zone file for dom2: _acme-challenge TXT "thisismytextvalue" Then, and more or less as expected, the following dig command fails to return a record. dig -t TXT _acme-challenge.dom1.com Is there a way to get the dig command to return the TXT value for dom2? Or is that something that can pretty much only happen with A records? -- Bob Miller ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal CNAME in RPZ
Hello...
On Wed, 23 Oct 2019, Andrey Geyn wrote:
[...]
I don't understand why your tests for "cname.example.com" and
"cname.test.m3047.net" differ
(first one returns only
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
I didn't understand this as well. Is it something about caching perhaps? I
thought perhaps example.com, being well-known, was somehow confounding the
results.
second one returns two RRs:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200IN A 209.221.140.128)
Notwithstanding that this is WRONG, because actual.test.m3047.net is in
the RPZ, it did try to follow the CNAME chain it just failed to apply the
policy to the A record. However querying the RPZ explicitly:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10
would /appear/ to be retrieving the result for the CNAME from the RPZ as a
regular zone not a policy zone, as intended, but then subjects the A
record to the RPZ policy!
23.10.2019, 21:49, "m3047" :
[...]
# dig cname.example.com
; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
;; AUTHORITY SECTION:
EXAMPLE.COM. 3600 IN SOA ns.icann.org.
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE rcvd: 209
# dig test.example.com
; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.example.com. IN A
;; ANSWER SECTION:
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE rcvd: 162
# dig cname.example.com.rpz1.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE rcvd: 224
Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
from socket import getaddrinfo
getaddrinfo('cname.example.com',80)
[(, , 17, '',
('10.10.10.10', 80)), (,
, 6, '', ('10.10.10.10', 80))]
# net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
# net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10
Note that *.m3047.net is wildcarded.
# dig cname.test.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;cname.test.m3047.net. IN A
;; ANSWER SECTION:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128
;; AUTHORITY SECTION:
m3047.net. 7200 IN NS dns1.encirca.net.
m3047.net. 7200 IN NS dns2.encirca.net.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
262 600 60 86400 600
dns1.encirca.net. 97039 IN A 108.166.170.106
dns2.encirca.net. 97039 IN A 64.62.200.132
;; Query time: 178 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:25:08 2019
;; MSG SIZE rcvd: 249
Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
from socket import getaddrinfo
getaddrinfo('cname.test.m3047.net',80)
[(, , 17, '',
('10.10.10.10', 80)), (,
, 6, '', ('10.10.10.10', 80))]
# dig cname.test.m
Re: Internal CNAME in RPZ
Hi, so Andrey,
Your output doesn't reflect what I would expect to see from an
RPZ-mediated query, but rather what I would expect to see if querying a
zone, such as the RPZ itself, directly. So I am not sure I understand your
question.
To the broader ISC community: however, I'm confused by the response I'm
getting. Oddly enough dig is giving me the unexpected results, and
(Python) socket.getaddrinfo() does what I expect. It appears that CNAME
resolution within RPZ is escaping...
On Wed, 23 Oct 2019, Andrey Geyn wrote:
Date: Wed, 23 Oct 2019 19:34:39 +0500
From: Andrey Geyn
To: "bind-users@lists.isc.org"
Subject: Internal CNAME in RPZ
Hello, I would like to set up RPZ with CNAME and A. There are two options:
1.
cname.domain.com CNAME test.domain.com (without trailing dot)
test.domain.com A 10.10.10.10
Trailing dot is needed.
2.
cname.domain.com CNAME test.domain.com. (with trailing dot)
test.domain.com A 10.10.10.10
Yes I believe this to be correct.
# dig cname.domain.com @127.0.0.1
cname.domain.com. 5 IN CNAME test.domain.com.
test.domain.com. 531 IN A 66.96.162.92
# net-dns.pl add rpz cname.example.com CNAME test.example.com.
# net-dns.pl add rpz test.example.com A 10.10.10.10
Here's the answer I didn't expect, from dig:
# dig +short cname.example.com TEST.EXAMPLE.COM.
# dig +short test.example.com 10.10.10.10
It did not follow the CNAME chain. Here's what I expected, from
getaddrinfo():
from socket import getaddrinfo
getaddrinfo('cname.example.com',80)
[(, , 17, '',
('10.10.10.10', 80)), (,
, 6, '', ('10.10.10.10', 80))]
All the rest of the queries follow. The recursive resolver (at 10.0.0.220)
is running 9.12.3-p1. I tested with versions of dig up to and including
9.12.3-p1
Notice that in the very first test below the AUTHORITY refers to
icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated
with a different domain with the rationale that example.com was
confounding results, and got something similar.
Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net
does the reverse, looking up actual.test.m3047.net from the RPZ instead of
the real world.
--
Fred Morris
--
# dig cname.example.com
; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.
;; AUTHORITY SECTION:
EXAMPLE.COM. 3600 IN SOA ns.icann.org.
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE rcvd: 209
# dig test.example.com
; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.example.com. IN A
;; ANSWER SECTION:
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE rcvd: 162
# dig cname.example.com.rpz1.m3047.net
; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN A
;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10
;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.
;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600
;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE rcvd: 224
Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
from socket import getaddrinfo
getaddrinfo('cname.example.com',80)
[(, , 17, '',
('10.10.10.10', 80)), (,
, 6, '', ('10.10.10.10', 80))]
# net-dns.pl add rpz cname.test.m3047.net CNAME actual.t
Re: search and ndots support in bind utilities
One more thing: what about disabling search lists? Can't I make a rule that "all FQDNs must be specified with a trailing dot (as documented to stop the use of search lists)"? You'd better test that thoroughly. Firefox still doesn't get the TLS host header right, and Apache doesn't toss its breakfast anymore, but it ain't pretty. Try https://apache.org./ if you don't believe me... Good luck, and a good tomorrow... -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: search and ndots support in bind utilities
The following is not specific to BIND, but concerns the operating environment for DNS software. Ebersman in a later post links to a document which foreshadows what I'm about to discuss. On Mon, 30 Sep 2019, Petr Mensik wrote: [...] I am aware search is a no-no in DNS community. That's barely the "other 10%" of it. It reaches as far as cooked Google servers (Stucke's still amusing talk from Black Hat some years ago) and comes down to a simple: "whose name do you trust?" I know from experience with the data that in some $VENDOR's streaming NXDOMAIN telemetry feed, on any given day, depending which way the wind is blowing, that .belkin will be one of the top 10 TLDs. Luckily Cisco bought .cisco, so you can see for yourself if your Passive DNS data provider is any good by looking for A queries which resolved to 127.0.53.53. Why does so much DNS traffic show up inadvertently stemmed with .cisco and .belkin? Rhetorically speaking, of course. The DNS is just one naming service which is queried in attempts to resolve resource names into actual instances. Others include hosts, LDAP, NIS, you get the idea. If you go down the "no search lists" path, then that means everywhere, not just the DNS. (This may also be part of the reason for inconsistent behavior; earlier this year I personally saw DNS lookups suddenly become case sensitive on SuSE Leap when using getaddrinfo().) What about Active Directory? If your domain can't resolve inside of Windows, does it fall back to the DNS? Resources doesn't include just web sites, CRLs, adverts, tracking beacons. It includes database servers, etcd and other resolution / configuration services, drives containing executables to, you know, execute... It doesn't stop with best practices according to the DNS community. Plenty of developers will think they know best for their particular situation, so you will see them trying various things that will oftentimes result in stemming and trying things from your search list. (Guilty as charged, during the SuSE episode I coded an option to force the use of dnspython for name resolution.) Prohibitions like "no search lists" do next to nothing. Clever programmers will use whatever domain you specify for your hosts as something to deconstruct and use for stemming. An (enforced) search list might be preferable! Look at your DNS traffic, particularly NXDOMAIN. (I'd look for stuff resolving in typoed / bit flipped domains too.) Add a domain you own but do not use as the final fallback in your search list, and monitor all DNS traffic going to it. Even resolving stuff may not stop it from leaking (stop resolution attempts), because the developer may not trust your answer. I wouldn't do that, of course. ;-) But clearly people obsessed with "happy eyeballs" don't share my sensibilities. Good luck, and a good tomorrow... -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ for reverse lookups ?
Clarification on what DNS is... On Sun, 25 Aug 2019, m3047 wrote: On Sat, 24 Aug 2019, J Doe wrote: [...] Is it possible to re-write a response on a reverse lookup ? For instance, if I considered example.com a “bad domain”, can I write a RPZ policy so that a reverse lookup of IP’s that map to example.com fails or is blocked ? [...] proposed actions local in scope? Do you run a local passive DNS oracle?) Strictly speaking, in DNS-speak the "reverse lookup of an IP..." is a PTR lookup. The "reverse lookup of an IP mapping to example.com" is doing a PTR lookup and matching it against example.com. I could be wrong generally, but at least none of the RPZ features which I use generate additional DNS traffic; an RPZ implementation which did would exceed my personal threshold of least surprise. You might consider taking discussion of this to the RPZ interest list or searching the archives: http://lists.redbarn.org/mailman/listinfo/dnsfirewalls -- Fred Morris___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ for reverse lookups ?
Yes. See below. Another respondent expresses concerns about the danger of IP address blocking. The RPZ implementation (in BIND) includes options for setting triggers on the address returned with A and RRs (rpz-ip) and nameserver address (nsip). These kinds of actions are functionally distinct from triggers based on the query name. On Sat, 24 Aug 2019, J Doe wrote: [...] Is it possible to re-write a response on a reverse lookup ? For instance, if I considered example.com a “bad domain”, can I write a RPZ policy so that a reverse lookup of IP’s that map to example.com fails or is blocked ? I know I can do this with a forward lookup to generate NXDOMAIN: ; Forward resolution of: example.com and subdomains generates: NXDOMAIN example.comIN CNAME . *.example.com IN CNAME . I have to wonder what led us here and why it's so important to generate NXDOMAIN. There are plenty of ways to disrupt as well as out and out block access to an IP address which don't require resorting to DNS tricks, such as using a firewall, but let's see what we can do. I suspect if you wanted to block an IP address, that rpz-ip is what you're looking for. What you've got above prevents example.com from resolving to any address. So where did the address come from? Are you sure the evidence chain involves example.com and not something else (correctly or incorrectly) resolving to that address, or someone outright lying? Why would you assume that? (And as the other prior respondent points out, it has risks. Are the impacts of your proposed actions local in scope? Do you run a local passive DNS oracle?) Let's say that example.com resolves to 10.9.8.7. In that case "dig -x 10.9.8.7" will generate a query for 7.8.9.19.in-addr.arpa PTR records. A record like 7.8.9.10.in-addr.arpa CNAME . will generate NXDOMAIN in response to that query. You could be more explicit: 7.8.9.10.in-addr.arpa PTR block.this. If you were doing spam scoring based on the feature "does the FQDN the MTA declares as its identity match a reverse lookup on its address", either one of these would potentially fail. NXDOMAIN is generally an implied fail however, and could be due to infrastructure failures distinct and separate from imputed conduct; whereas the feature "anything that a reverse lookup resolves to block.this should be blocked" is explicit (and unambiguous until the .this TLD launches). -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDITED: Proper Way to Configure a Domain which never sends emails
Hi, I would think declaring SPF as you say is the right course of action. I would consider setting up DMARC as well. Whether it's your intention or not, if you set up DMARC (a way for people to report mail claiming to be from you) you've essentially created a honey pot; maybe somebody will be happy to take those DMARC-instigated reports from you. On Mon, 19 Aug 2019, Ignacio García wrote: I have to set up dns records for a domain just for a web site, for which we will NEVER send emails (though we might receive some from old customers), so I would like to announce somehow that emails sent from this domain should always be disregarded. Outgoing mail should be disregarded. I was thinking of setting just A and records for @ and www, NS records, MX records (for receiving) Incoming mail should be received. and SPF with a record just consisting of v=spf1 -all , not declaring an A and MX records at all. Contradicts earlier assertions. -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
MX, SPF and RPZ Re: DNS domain Pointing to a DSL U/verse host
Hi Eduardo.
On Thu, 15 Aug 2019, Eduardo Bonsi wrote:
First, thank you for taking the time to layout your views and suggestion!
;-)
NOTE: This is a perfect use case for off-label use of RPZ, you could
define your PTR record in an RPZ and you wouldn't need to take over the
whole zone.
Thank you for this suggestion! It would be great to have some examples,
if is not to ask you too much already!
Sure. 8-) Do you have waldo in your domain?
# dig waldo.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;waldo.bonsi.org. IN A
;; AUTHORITY SECTION:
bonsi.org. 300 IN SOA
ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 56 21600
3600 259200 300
;; Query time: 540 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:52:54 2019
;; MSG SIZE rcvd: 129
Let's fix that:
# net-dns.pl add white waldo.bonsi.org A 10.9.8.7
(That's a script which dynamically updates the zone whitelist.m3047.net, a
local vanity domain.)
# dig waldo.bonsi.org.whitelist.m3047.net
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org.whitelist.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42402
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;waldo.bonsi.org.whitelist.m3047.net. INA
;; ANSWER SECTION:
WALDO.BONSI.ORG.whitelist.m3047.net. 600 IN A 10.9.8.7
;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:55:41 2019
;; MSG SIZE rcvd: 104
Let's make sure I didn't break your zone:
# dig www.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> www.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.bonsi.org. IN A
;; ANSWER SECTION:
www.bonsi.org. 21600 IN A 162.201.66.177
;; Query time: 126 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:56:49 2019
;; MSG SIZE rcvd: 47
Looks good. Where's waldo?
# dig waldo.bonsi.org
; <<>> DiG 9.8.3-P1 <<>> waldo.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16655
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;waldo.bonsi.org. IN A
;; ANSWER SECTION:
WALDO.BONSI.ORG.5 IN A 10.9.8.7
;; ADDITIONAL SECTION:
whitelist.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
364 600 60 86400 600
;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:57:26 2019
;; MSG SIZE rcvd: 142
You'll notice that the authority comes from whitelist.m3047.net, and that
I didn't have to take over your entire zone in order to rewrite that
particular FQDN. This does break DNSSEC.
How does this hang together in the BIND config?
# cat /etc/named.conf
...
options {
...
// RPZs
response-policy {
zone "whitelist.m3047.net";
zone "rpz1.m3047.net";
};
...
};
...
zone "whitelist.m3047.net" {
type master;
check-names ignore;
file "whitelist.m3047.net";
};
...
# rndc freeze whitelist.m3047.net
# rndc thaw whitelist.m3047.net
# cat whitelist.m3047.net
$ORIGIN .
$TTL 900; 15 minutes
whitelist.m3047.net IN SOA DEV.NULL. M3047.M3047.NET. (
364; serial
600; refresh (10 minutes)
60 ; retry (1 minute)
86400 ; expire (1 day)
600; minimum (10 minutes)
)
NS LOCALHOST.
...
$ORIGIN AP.ORG.whitelist.m3047.net.
* CNAME rpz-passthru.
$ORIGIN ORG.whitelist.m3047.net.
WALDO.BONSI A 10.9.8.7
$ORIGIN CONSUMERREPORTSCDN.ORG.whitelist.m3047.net.
* CNAME rpz-passthru.
...
(RPZs have special semantics for actions like passthrough and NXDOMAIN.)
Fundamentally, you're not authoritative for the zone:
I am totally aware about that! That would be more simple if I just go
ahead and order some static ips from AT ...and that would cost me an
arm and a leg and get done with it! Then, "probably" I would not > be
here asking this question at all.
We are referring to the in-addr.arpa zone, just to be clear. There is
reverse for it, it's just provided by SW Bell. It's not pointing to an
FQDN within your zone (bonsi.org). That
Re: DNS domain Pointing to a DSL U/verse host
IN PTR www.bonsi.org. NOTE: Multiple PTR records is allowed, but funny things will happen to services restricted by FQDN when you do so. DAMHIK! -- Fred Morris m3...@m3047.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and HTTPS?
On Fri, 12 Jul 2019, Lefteris Tsintjelis via bind-users wrote: I believe most modern firewalls allow them now days and the speeds are pretty huge for such packets so I guess fragmentation by itself may not be as noticeable, but everything all together adds up, and I mean including DNSSEC and DOH overhead. Really? What about ads? What I mean is if people are so concerned about "happy eyeballs", why are so many of those people somehow involved with the infrastructure creating the problem? -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: static stub zone not working as expected
Almost my point. It comes to my attention the hard way, that MDNS is enabled by default or by accident in some Linux distros. Check /etc/nsswitch.conf. Let us know what you find, and thanks a lot! Longer answer: it depends on whether MDNS is in nsswitch, and what the ordering is. -- Fred Morris On Fri, 12 Jul 2019, Mark Andrews wrote: Note .local is reserved for mDNS. getaddrinfo() shouldn’t be looking in the DNS for .local names.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
