RE: replace "SERVFAIL" to "NXDOMAIN" with rpz
Thank you very much, it now works fine, just another question please, what is
the recommended open source tool to test the performance of a DNS server i.e.
capture packets and then send them to a DNS server to measure response time,
latency, cache usage etc.
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 16:56
À : Lee ; RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
mailto:gregchou...@googlemail.com>> wrote:
Hi Lee/Sami.
`break-dnssec yes;` *may* also be needed in some cases. But not here as the
zone isn't signed anyway.
The reason that "example.com" works but
"antlauncher.com<http://antlauncher.com>" doesn't is down to BIND needing to
perform recursion and get an answer before RPZ kicks in and overwrites it
(unless you specify `qname-wait-recurse no;`). "example.com" actually gets an
answer (from IANA) but "antlauncher.com<http://antlauncher.com>" gets REFUSED.
Wireshark it and see.
By the way, I have been testing this on 9.18.15
Cheers, Greg
On Mon, 19 Jun 2023 at 16:10, Lee mailto:ler...@gmail.com>>
wrote:
On 6/19/23, sami.rahal wrote:
> Thank you Greg
>
> I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it
> not working
You're missing "break-dnssec yes" on your response-policy stanza?
You need something like
response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
break-dnssec yes
recursive-only no
qname-wait-recurse no;
#enable rpz
# By default, RPZ actions are applied only to DNS requests that either do not
# request DNSSEC metadata (DO=0) or when no DNSSEC records are available for
# request name in the original zone (not the response policy zone).
# This default can be changed for all response policy zones in a view with a
# break-dnssec yes clause. In that case, RPZ actions are applied regardless
# of DNSSEC.
#
# zone "rpz.mozilla";
#
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Regards,
Lee
>
> I use CentOS7 with BIND9.16.41
>
>
>
> grep antlauncher db.rpz
>
> antlauncher.com<http://antlauncher.com> CNAME .
>
> *.antlauncher.com<http://antlauncher.com> CNAME .
>
>
>
> grep example db.rpz
>
> example.com IN CNAME .
>
> *.example.com IN CNAME .
>
>
>
> dig @0 foo.antlauncher.com<http://foo.antlauncher.com>
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0
> foo.antlauncher.com<http://foo.antlauncher.com> ; (1 server found) ;; global
> options: +cmd ;; Got
> answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;foo.antlauncher.com<http://foo.antlauncher.com>. IN A
>
>
>
> ;; Query time: 241 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:22 CET 2023
>
> ;; MSG SIZE rcvd: 48
>
>
>
> # dig @0 example.com
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1
> server found) ;; global options: +cmd ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;example.com. IN A
>
>
>
> ;; ADDITIONAL SECTION:
>
> siteblockeddb. 1 IN SOA LOCALHOST.
> need.to.know.only. 2016011100 43200 900 1814400 7200
>
>
>
> ;; Query time: 347 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:36 CET 2023
>
> ;; MSG SIZE rcvd: 115
>
>
>
>
> De : Greg Choules
> mailto:gregchoules%2bbindus...@googlemail.com>>
> Envoyé : lundi 19 juin 2023 15:12
> À : RAHAL Sami SOFRECOM
> mailto:sami.ra...@sofrecom.com>>
> Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>
> Hi Sami.
> That's not what I said.
> Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
> it's not something I would do.
>
> Cheers, Greg
>
> On Mon, 19 Jun 2023 at 12:40,
> mai
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "antlauncher.com" doesn't is down
> to BIND needing to perform recursion and get an answer before RPZ kicks in
> and overwrites it (unless you specify `qname-wait-recurse no;`). "
> example.com" actually gets an answer (from IANA) but "antlauncher.com"
> gets REFUSED.
>
> Wireshark it and see.
>
> By the way, I have been testing this on 9.18.15
> Cheers, Greg
>
>
> On Mon, 19 Jun 2023 at 16:10, Lee wrote:
>
>> On 6/19/23, sami.rahal wrote:
>> > Thank you Greg
>> >
>> > I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN"
>> is it
>> > not working
>>
>> You're missing "break-dnssec yes" on your response-policy stanza?
>> You need something like
>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
>> break-dnssec yes
>> recursive-only no
>> qname-wait-recurse no;
>> #enable rpz
>> # By default, RPZ actions are applied only to DNS requests that either
>> do not
>> # request DNSSEC metadata (DO=0) or when no DNSSEC records are
>> available for
>> # request name in the original zone (not the response policy zone).
>> # This default can be changed for all response policy zones in a view
>> with a
>> # break-dnssec yes clause. In that case, RPZ actions are applied
>> regardless
>> # of DNSSEC.
>> #
>> # zone "rpz.mozilla";
>> #
>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
>>
>> Regards,
>> Lee
>>
>> >
>> > I use CentOS7 with BIND9.16.41
>> >
>> >
>> >
>> > grep antlauncher db.rpz
>> >
>> > antlauncher.com CNAME .
>> >
>> > *.antlauncher.com CNAME .
>> >
>> >
>> >
>> > grep example db.rpz
>> >
>> > example.com IN CNAME .
>> >
>> > *.example.com IN CNAME .
>> >
>> >
>> >
>> > dig @0 foo.antlauncher.com
>> >
>> >
>> >
>> > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0
>> > foo.antlauncher.com ; (1 server found) ;; global options: +cmd ;; Got
>> > answer:
>> >
>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr
>> rd
>> > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> >
>> >
>> >
>> > ;; OPT PSEUDOSECTION:
>> >
>> > ; EDNS: version: 0, flags:; udp: 4096
>> >
>> > ;; QUESTION SECTION:
>> >
>> > ;foo.antlauncher.com. IN A
>> >
>> >
>> >
>> > ;; Query time: 241 msec
>> >
>> > ;; SERVER: 127.0.0.1#53(0.0.0.0)
>> >
>> > ;; WHEN: Mon Jun 19 10:52:22 CET 2023
>> >
>> > ;; MSG SIZE rcvd: 48
>> >
>> >
>> >
>> > # dig @0 example.com
>> >
>> >
>> >
>> > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com
>> ; (1
>> > server found) ;; global options: +cmd ;; Got answer:
>> >
>> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr
>> rd
>> > ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>> >
>> >
>> >
>> > ;; OPT PSEUDOSECTION:
>> >
>> > ; EDNS: version: 0, flags:; udp: 4096
>> >
>> > ;; QUESTION SECTION:
>> >
>> > ;example.com. IN A
>> >
>> >
>> >
>> > ;; ADDITIONAL SECTION:
>> >
>> > siteblockeddb. 1 IN SOA LOCALHOST.
>> > need.to.know.only. 2016011100 43200 900 1814400 7200
>> >
>> >
>> >
>> > ;; Query time: 347 msec
>> >
>> > ;; SERVER: 127.0.0.1#53(0.0.0.0)
>> >
>> > ;; WHEN: Mon Jun 19 10:52:36 CET 2023
>> >
>> > ;; MSG SIZE rcvd: 115
>> >
>> >
>> >
>> >
>> > De : Greg Choules
>> > Envoyé : lundi 19 juin 2023 15:12
>> > À
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
On 6/19/23, sami.rahal wrote:
> Thank you Greg
>
> I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it
> not working
You're missing "break-dnssec yes" on your response-policy stanza?
You need something like
response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
break-dnssec yes
recursive-only no
qname-wait-recurse no;
#enable rpz
# By default, RPZ actions are applied only to DNS requests that either do not
# request DNSSEC metadata (DO=0) or when no DNSSEC records are available for
# request name in the original zone (not the response policy zone).
# This default can be changed for all response policy zones in a view with a
# break-dnssec yes clause. In that case, RPZ actions are applied regardless
# of DNSSEC.
#
# zone "rpz.mozilla";
#
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Regards,
Lee
>
> I use CentOS7 with BIND9.16.41
>
>
>
> grep antlauncher db.rpz
>
> antlauncher.com CNAME .
>
> *.antlauncher.com CNAME .
>
>
>
> grep example db.rpz
>
> example.com IN CNAME .
>
> *.example.com IN CNAME .
>
>
>
> dig @0 foo.antlauncher.com
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0
> foo.antlauncher.com ; (1 server found) ;; global options: +cmd ;; Got
> answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;foo.antlauncher.com. IN A
>
>
>
> ;; Query time: 241 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:22 CET 2023
>
> ;; MSG SIZE rcvd: 48
>
>
>
> # dig @0 example.com
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1
> server found) ;; global options: +cmd ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;example.com. IN A
>
>
>
> ;; ADDITIONAL SECTION:
>
> siteblockeddb. 1 IN SOA LOCALHOST.
> need.to.know.only. 2016011100 43200 900 1814400 7200
>
>
>
> ;; Query time: 347 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:36 CET 2023
>
> ;; MSG SIZE rcvd: 115
>
>
>
>
> De : Greg Choules
> Envoyé : lundi 19 juin 2023 15:12
> À : RAHAL Sami SOFRECOM
> Cc : bind-users@lists.isc.org
> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>
> Hi Sami.
> That's not what I said.
> Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
> it's not something I would do.
>
> Cheers, Greg
>
> On Mon, 19 Jun 2023 at 12:40,
> mailto:sami.ra...@sofrecom.com>> wrote:
> Thank you Greg
> So if I understand correctly if we receive a servfail return code we can not
> modify this code by nxdomain with the rpz configuration?
> Regards
>
> De : Greg Choules
> mailto:gregchoules%2bbindus...@googlemail.com>>
> Envoyé : lundi 19 juin 2023 12:02
> À : RAHAL Sami SOFRECOM
> mailto:sami.ra...@sofrecom.com>>
> Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>
> That's because this domain is broken. The NS for it are:
> antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
> ns1626.ztomy.com<http://ns1626.ztomy.com> (204.11.56.26)
> antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
> ns2626.ztomy.com<http://ns2626.ztomy.com> (204.11.57.26)
> No matter what query you send them (so far) they respond with REFUSED and
> claim not to be authoritative for
> "antlauncher.com<http://antlauncher.com>".
>
> Personally I would live with the SERVFAIL because it tells you that
> something is wrong, not just that it doesn't exist. Then try to contact the
> people who own this domain and tell them it is broken.
>
> Cheers, Greg
>
> On Mon, 19 Jun 2023 at 10:33,
> mailto:sami.ra...@sofrecom.com>> wrote:
> Hello
> Thank you for these details Greg, by the way I worked on a problem on one of
> my resolvers and there are no errors of type
RE: replace "SERVFAIL" to "NXDOMAIN" with rpz
Thank you Greg I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it not working I use CentOS7 with BIND9.16.41 grep antlauncher db.rpz antlauncher.com CNAME . *.antlauncher.com CNAME . grep example db.rpz example.com IN CNAME . *.example.com IN CNAME . dig @0 foo.antlauncher.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 foo.antlauncher.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;foo.antlauncher.com. IN A ;; Query time: 241 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Mon Jun 19 10:52:22 CET 2023 ;; MSG SIZE rcvd: 48 # dig @0 example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.com. IN A ;; ADDITIONAL SECTION: siteblockeddb. 1 IN SOA LOCALHOST. need.to.know.only. 2016011100 43200 900 1814400 7200 ;; Query time: 347 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Mon Jun 19 10:52:36 CET 2023 ;; MSG SIZE rcvd: 115 De : Greg Choules Envoyé : lundi 19 juin 2023 15:12 À : RAHAL Sami SOFRECOM Cc : bind-users@lists.isc.org Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz Hi Sami. That's not what I said. Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but it's not something I would do. Cheers, Greg On Mon, 19 Jun 2023 at 12:40, mailto:sami.ra...@sofrecom.com>> wrote: Thank you Greg So if I understand correctly if we receive a servfail return code we can not modify this code by nxdomain with the rpz configuration? Regards De : Greg Choules mailto:gregchoules%2bbindus...@googlemail.com>> Envoyé : lundi 19 juin 2023 12:02 À : RAHAL Sami SOFRECOM mailto:sami.ra...@sofrecom.com>> Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz That's because this domain is broken. The NS for it are: antlauncher.com<http://antlauncher.com>: type NS, class IN, ns ns1626.ztomy.com<http://ns1626.ztomy.com> (204.11.56.26) antlauncher.com<http://antlauncher.com>: type NS, class IN, ns ns2626.ztomy.com<http://ns2626.ztomy.com> (204.11.57.26) No matter what query you send them (so far) they respond with REFUSED and claim not to be authoritative for "antlauncher.com<http://antlauncher.com>". Personally I would live with the SERVFAIL because it tells you that something is wrong, not just that it doesn't exist. Then try to contact the people who own this domain and tell them it is broken. Cheers, Greg On Mon, 19 Jun 2023 at 10:33, mailto:sami.ra...@sofrecom.com>> wrote: Hello Thank you for these details Greg, by the way I worked on a problem on one of my resolvers and there are no errors of type "SERVFAIL" currently for valid domain names but I receive servfail for this domain name "antlauncher.com<http://antlauncher.com>" that's why I wanted to change the return code for this domain name to "NXDOMAIN" so as not to distort the monitoring result . Regards De : Greg Choules mailto:gregchoules%2bbindus...@googlemail.com>> Envoyé : lundi 19 juin 2023 10:03 À : RAHAL Sami SOFRECOM mailto:sami.ra...@sofrecom.com>> Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from a recursive server meaning "I tried my best to get a response to your query but I just failed". So if your monitoring tool, whatever it is, is receiving SERVFAIL responses from your DNS server then you need to fix whatever is causing those in the server. Causes of SERVFAIL could be that your server cannot contact the authoritative server(s) that should know the answer. Or it might be because your server is trying to do DNSSEC validation and that is failing. The best way to know *why* you are getting SERVFAIL would be to take a packet capture
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hi Sami. That's not what I said. Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but it's not something I would do. Cheers, Greg On Mon, 19 Jun 2023 at 12:40, wrote: > Thank you Greg > > So if I understand correctly if we receive a servfail return code we can > not modify this code by nxdomain with the rpz configuration? > > Regards > > > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 12:02 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > > > That's because this domain is broken. The NS for it are: > > antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26) > > antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26) > > No matter what query you send them (so far) they respond with REFUSED and > claim not to be authoritative for "antlauncher.com". > > > > Personally I would live with the SERVFAIL because it tells you that > something is wrong, not just that it doesn't exist. Then try to contact the > people who own this domain and tell them it is broken. > > > > Cheers, Greg > > > > On Mon, 19 Jun 2023 at 10:33, wrote: > > Hello > > Thank you for these details Greg, by the way I worked on a problem on one > of my resolvers and there are no errors of type "SERVFAIL" currently for > valid domain names but I receive servfail for this domain name " > antlauncher.com" that's why I wanted to change the return code for this > domain name to "NXDOMAIN" so as not to distort the monitoring result . > > Regards > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 10:03 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > > > Hi Sami. > > Firstly, a couple of definitions: > > NXDOMAIN is a response from an authoritative server (or a resolver because > it cached it). It is a positive confirmation that "this name does not > exist". It means that the QNAME in the query cannot be found, for any > record type. > > SERVFAIL is a response from a recursive server meaning "I tried my best to > get a response to your query but I just failed". > > > > So if your monitoring tool, whatever it is, is receiving SERVFAIL > responses from your DNS server then you need to fix whatever is causing > those in the server. > > Causes of SERVFAIL could be that your server cannot contact the > authoritative server(s) that should know the answer. Or it might be because > your server is trying to do DNSSEC validation and that is failing. > > The best way to know *why* you are getting SERVFAIL would be to take a > packet capture that includes the client queries to the server and any > queries the server makes to try and get answers, plus all the responses. > > Please do that and share the results, using real domains, not examples. > > > > Hope that helps, Greg > > > > > > On Mon, 19 Jun 2023 at 09:39, wrote: > > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name "antlauncher.com" > regards Rahal > > -Message d'origine- > De : bind-users De la part de > bind-users-requ...@lists.isc.org > Envoyé : samedi 17 juin 2023 06:23 > À : bind-users@lists.isc.org > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. replace "SERVFAIL" to "NXDOMAIN" with rpz > (sami.ra...@sofrecom.com) >2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) >3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) >4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > -- > > Message: 1 > Date: Fri, 16
RE: replace "SERVFAIL" to "NXDOMAIN" with rpz
Thank you Greg
So if I understand correctly if we receive a servfail return code we can not
modify this code by nxdomain with the rpz configuration?
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
That's because this domain is broken. The NS for it are:
antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
ns1626.ztomy.com<http://ns1626.ztomy.com> (204.11.56.26)
antlauncher.com<http://antlauncher.com>: type NS, class IN, ns
ns2626.ztomy.com<http://ns2626.ztomy.com> (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and claim
not to be authoritative for "antlauncher.com<http://antlauncher.com>".
Personally I would live with the SERVFAIL because it tells you that something
is wrong, not just that it doesn't exist. Then try to contact the people who
own this domain and tell them it is broken.
Cheers, Greg
On Mon, 19 Jun 2023 at 10:33,
mailto:sami.ra...@sofrecom.com>> wrote:
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my
resolvers and there are no errors of type "SERVFAIL" currently for valid domain
names but I receive servfail for this domain name
"antlauncher.com<http://antlauncher.com>" that's why I wanted to change the
return code for this domain name to "NXDOMAIN" so as not to distort the
monitoring result .
Regards
De : Greg Choules
mailto:gregchoules%2bbindus...@googlemail.com>>
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM
mailto:sami.ra...@sofrecom.com>>
Cc : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it
cached it). It is a positive confirmation that "this name does not exist". It
means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get
a response to your query but I just failed".
So if your monitoring tool, whatever it is, is receiving SERVFAIL responses
from your DNS server then you need to fix whatever is causing those in the
server.
Causes of SERVFAIL could be that your server cannot contact the authoritative
server(s) that should know the answer. Or it might be because your server is
trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet
capture that includes the client queries to the server and any queries the
server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.
Hope that helps, Greg
On Mon, 19 Jun 2023 at 09:39,
mailto:sami.ra...@sofrecom.com>> wrote:
Hello Thank you for your feedback,
yes it works like that! for that does not work for a domain name that already
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN"
like this domain name "antlauncher.com<http://antlauncher.com>"
regards Rahal
-Message d'origine-
De : bind-users
mailto:bind-users-boun...@lists.isc.org>> De
la part de
bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>
Envoyé : samedi 17 juin 2023 06:23
À : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Objet : bind-users Digest, Vol 4262, Issue 1
Send bind-users mailing list submissions to
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>
You can reach the person managing the list at
bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org>
When replying, please edit your Subject line so it is more specific than "Re:
Contents of bind-users digest..."
Today's Topics:
1. replace "SERVFAIL" to "NXDOMAIN" with rpz
(sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>)
2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)
--
Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +
From: sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>
To: "bind-users@lists.isc.org<mailto:bind-u
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
That's because this domain is broken. The NS for it are: antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26) antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26) No matter what query you send them (so far) they respond with REFUSED and claim not to be authoritative for "antlauncher.com". Personally I would live with the SERVFAIL because it tells you that something is wrong, not just that it doesn't exist. Then try to contact the people who own this domain and tell them it is broken. Cheers, Greg On Mon, 19 Jun 2023 at 10:33, wrote: > Hello > > Thank you for these details Greg, by the way I worked on a problem on one > of my resolvers and there are no errors of type "SERVFAIL" currently for > valid domain names but I receive servfail for this domain name " > antlauncher.com" that's why I wanted to change the return code for this > domain name to "NXDOMAIN" so as not to distort the monitoring result . > > Regards > > *De :* Greg Choules > *Envoyé :* lundi 19 juin 2023 10:03 > *À :* RAHAL Sami SOFRECOM > *Cc :* bind-users@lists.isc.org > *Objet :* Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > > > > Hi Sami. > > Firstly, a couple of definitions: > > NXDOMAIN is a response from an authoritative server (or a resolver because > it cached it). It is a positive confirmation that "this name does not > exist". It means that the QNAME in the query cannot be found, for any > record type. > > SERVFAIL is a response from a recursive server meaning "I tried my best to > get a response to your query but I just failed". > > > > So if your monitoring tool, whatever it is, is receiving SERVFAIL > responses from your DNS server then you need to fix whatever is causing > those in the server. > > Causes of SERVFAIL could be that your server cannot contact the > authoritative server(s) that should know the answer. Or it might be because > your server is trying to do DNSSEC validation and that is failing. > > The best way to know *why* you are getting SERVFAIL would be to take a > packet capture that includes the client queries to the server and any > queries the server makes to try and get answers, plus all the responses. > > Please do that and share the results, using real domains, not examples. > > > > Hope that helps, Greg > > > > > > On Mon, 19 Jun 2023 at 09:39, wrote: > > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name "antlauncher.com" > regards Rahal > > -Message d'origine- > De : bind-users De la part de > bind-users-requ...@lists.isc.org > Envoyé : samedi 17 juin 2023 06:23 > À : bind-users@lists.isc.org > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. replace "SERVFAIL" to "NXDOMAIN" with rpz > (sami.ra...@sofrecom.com) >2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) >3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) >4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > -- > > Message: 1 > Date: Fri, 16 Jun 2023 20:39:43 + > From: sami.ra...@sofrecom.com > To: "bind-users@lists.isc.org" > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <9c4465dc103645149093f4d3f60cf...@sofrecom.com> > Content-Type: text/plain; charset="us-ascii" > > > Hello > For monitoring reasons I try to change the return code of a domain name > from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of > BIND9.16.42 as follows: > example.com IN CNAME. > *.example.com IN CNAME . > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > Kind regards > > --
RE: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my
resolvers and there are no errors of type "SERVFAIL" currently for valid domain
names but I receive servfail for this domain name "antlauncher.com" that's why
I wanted to change the return code for this domain name to "NXDOMAIN" so as not
to distort the monitoring result .
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it
cached it). It is a positive confirmation that "this name does not exist". It
means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get
a response to your query but I just failed".
So if your monitoring tool, whatever it is, is receiving SERVFAIL responses
from your DNS server then you need to fix whatever is causing those in the
server.
Causes of SERVFAIL could be that your server cannot contact the authoritative
server(s) that should know the answer. Or it might be because your server is
trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet
capture that includes the client queries to the server and any queries the
server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.
Hope that helps, Greg
On Mon, 19 Jun 2023 at 09:39,
mailto:sami.ra...@sofrecom.com>> wrote:
Hello Thank you for your feedback,
yes it works like that! for that does not work for a domain name that already
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN"
like this domain name "antlauncher.com<http://antlauncher.com>"
regards Rahal
-Message d'origine-
De : bind-users
mailto:bind-users-boun...@lists.isc.org>> De
la part de
bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>
Envoyé : samedi 17 juin 2023 06:23
À : bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Objet : bind-users Digest, Vol 4262, Issue 1
Send bind-users mailing list submissions to
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>
You can reach the person managing the list at
bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org>
When replying, please edit your Subject line so it is more specific than "Re:
Contents of bind-users digest..."
Today's Topics:
1. replace "SERVFAIL" to "NXDOMAIN" with rpz
(sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>)
2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)
----------
Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +
From: sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>
To: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>"
mailto:bind-users@lists.isc.org>>
Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID:
<9c4465dc103645149093f4d3f60cf...@sofrecom.com<mailto:9c4465dc103645149093f4d3f60cf...@sofrecom.com>>
Content-Type: text/plain; charset="us-ascii"
Hello
For monitoring reasons I try to change the return code of a domain name from
"SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as
follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message " SERVFAIL", is it
feasible or not please ?
Kind regards
-- next part --
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm>
--
Message: 2
Date: Fri, 16 Jun 2023 20:29:16 -0700
From: Crist Clark
mailto:cjc%2bbind-us...@pumpky.net>>
To: sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>
Cc: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>"
mailto:bind-users@lists.isc.org>>
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hi Sami. Firstly, a couple of definitions: NXDOMAIN is a response from an authoritative server (or a resolver because it cached it). It is a positive confirmation that "this name does not exist". It means that the QNAME in the query cannot be found, for any record type. SERVFAIL is a response from a recursive server meaning "I tried my best to get a response to your query but I just failed". So if your monitoring tool, whatever it is, is receiving SERVFAIL responses from your DNS server then you need to fix whatever is causing those in the server. Causes of SERVFAIL could be that your server cannot contact the authoritative server(s) that should know the answer. Or it might be because your server is trying to do DNSSEC validation and that is failing. The best way to know *why* you are getting SERVFAIL would be to take a packet capture that includes the client queries to the server and any queries the server makes to try and get answers, plus all the responses. Please do that and share the results, using real domains, not examples. Hope that helps, Greg On Mon, 19 Jun 2023 at 09:39, wrote: > Hello Thank you for your feedback, > yes it works like that! for that does not work for a domain name that > already has the return code "SERVFAIL" and we want to change this code by > "NXDDOMAIN" like this domain name "antlauncher.com" > regards Rahal > > -Message d'origine- > De : bind-users De la part de > bind-users-requ...@lists.isc.org > Envoyé : samedi 17 juin 2023 06:23 > À : bind-users@lists.isc.org > Objet : bind-users Digest, Vol 4262, Issue 1 > > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. replace "SERVFAIL" to "NXDOMAIN" with rpz > (sami.ra...@sofrecom.com) >2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) >3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) >4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) > > > -- > > Message: 1 > Date: Fri, 16 Jun 2023 20:39:43 + > From: sami.ra...@sofrecom.com > To: "bind-users@lists.isc.org" > Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: <9c4465dc103645149093f4d3f60cf...@sofrecom.com> > Content-Type: text/plain; charset="us-ascii" > > > Hello > For monitoring reasons I try to change the return code of a domain name > from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of > BIND9.16.42 as follows: > example.com IN CNAME. > *.example.com IN CNAME . > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > Kind regards > > -- next part -- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm > > > > -- > > Message: 2 > Date: Fri, 16 Jun 2023 20:29:16 -0700 > From: Crist Clark > To: sami.ra...@sofrecom.com > Cc: "bind-users@lists.isc.org" > Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz > Message-ID: > ozrfq_scazbn-ruz...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ > action. Something is wrong with your configuration. > > On Fri, Jun 16, 2023 at 1:39?PM wrote: > > > > > > > Hello > > > > For monitoring reasons I try to change the return code of a domain > > name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > > of > > BIND9.16.42 as follows: > > > > example.com IN CNAME. > > > > *.example.com IN CNAME . > > > > But it still doesn't work, I still have the message " SERVFAIL", is > > it feasible or not please ? > > > > Kind regards > > > > > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > > from this
RE: replace "SERVFAIL" to "NXDOMAIN" with rpz
Hello Thank you for your feedback, yes it works like that! for that does not work for a domain name that already has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN" like this domain name "antlauncher.com" regards Rahal -Message d'origine- De : bind-users De la part de bind-users-requ...@lists.isc.org Envoyé : samedi 17 juin 2023 06:23 À : bind-users@lists.isc.org Objet : bind-users Digest, Vol 4262, Issue 1 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. replace "SERVFAIL" to "NXDOMAIN" with rpz (sami.ra...@sofrecom.com) 2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark) 3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris) 4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?) -- Message: 1 Date: Fri, 16 Jun 2023 20:39:43 + From: sami.ra...@sofrecom.com To: "bind-users@lists.isc.org" Subject: replace "SERVFAIL" to "NXDOMAIN" with rpz Message-ID: <9c4465dc103645149093f4d3f60cf...@sofrecom.com> Content-Type: text/plain; charset="us-ascii" Hello For monitoring reasons I try to change the return code of a domain name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as follows: example.com IN CNAME. *.example.com IN CNAME . But it still doesn't work, I still have the message " SERVFAIL", is it feasible or not please ? Kind regards -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230616/aa23b454/attachment-0001.htm> ---------- Message: 2 Date: Fri, 16 Jun 2023 20:29:16 -0700 From: Crist Clark To: sami.ra...@sofrecom.com Cc: "bind-users@lists.isc.org" Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz Message-ID: Content-Type: text/plain; charset="utf-8" That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. Something is wrong with your configuration. On Fri, Jun 16, 2023 at 1:39?PM wrote: > > > Hello > > For monitoring reasons I try to change the return code of a domain > name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration > of > BIND9.16.42 as follows: > > example.com IN CNAME. > > *.example.com IN CNAME . > > But it still doesn't work, I still have the message " SERVFAIL", is > it feasible or not please ? > > Kind regards > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230616/42776b6c/attachment-0001.htm> -- Message: 3 Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT) From: Fred Morris To: "bind-users@lists.isc.org" Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz Message-ID: Content-Type: text/plain; charset="utf-8"; Format="flowed" Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ. I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!) -- Fred Morris On Fri, 16 Jun 2023, Crist Clark wrote: > > That should return a NXDOMAIN. Returning SERVFAIL is never a normal > RPZ action. Something is wrong with your configuration. > > On Fri, Jun 16, 2023 at 1:39?PM wrote: >> >> For monitoring reasons I try to change the return code of a domain >> name from "SERVFAIL" to &
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
8. Configuration Reference — BIND 9 9.18.13 documentationbind9.readthedocs.ioI would certainly recommend reading the docs… especially the sections on break-dnssec and qname-wait-recurse.--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 17. 6. 2023, at 6:40, Fred Morris wrote:Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ.I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!)--Fred MorrisOn Fri, 16 Jun 2023, Crist Clark wrote:That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZaction. Something is wrong with your configuration.On Fri, Jun 16, 2023 at 1:39 PM wrote:For monitoring reasons I try to change the return code of a domain namefrom "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration ofBIND9.16.42 as follows:example.com IN CNAME.*.example.com IN CNAME .But it still doesn't work, I still have the message " SERVFAIL", is itfeasible or not please ?-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ. I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!) -- Fred Morris On Fri, 16 Jun 2023, Crist Clark wrote: That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. Something is wrong with your configuration. On Fri, Jun 16, 2023 at 1:39 PM wrote: For monitoring reasons I try to change the return code of a domain name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as follows: example.com IN CNAME. *.example.com IN CNAME . But it still doesn't work, I still have the message " SERVFAIL", is it feasible or not please ? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. Something is wrong with your configuration. On Fri, Jun 16, 2023 at 1:39 PM wrote: > > > Hello > > For monitoring reasons I try to change the return code of a domain name > from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of > BIND9.16.42 as follows: > > example.com IN CNAME. > > *.example.com IN CNAME . > > But it still doesn't work, I still have the message " SERVFAIL", is it > feasible or not please ? > > Kind regards > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
replace "SERVFAIL" to "NXDOMAIN" with rpz
Hello For monitoring reasons I try to change the return code of a domain name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as follows: example.com IN CNAME. *.example.com IN CNAME . But it still doesn't work, I still have the message " SERVFAIL", is it feasible or not please ? Kind regards -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
