I would expect so.
HECATE:~ m3047$ dig points-to-m3047.net.m3047.
; <<>> DiG 9.8.3-P1 <<>> points-to-m3047.net.m3047.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50873
;; flags: qr aa rd ra; QUERY: 1, AN
g that this is WRONG, because actual.test.m3047.net is in
the RPZ, it did try to follow the CNAME chain it just failed to apply the
policy to the A record. However querying the RPZ explicitly:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.
ng similar.
Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net
does the reverse, looking up actual.test.m3047.net from the RPZ instead of
the real world.
--
Fred Morris
--
# dig cname.example.com
; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;;
One more thing: what about disabling search lists? Can't I make a rule
that "all FQDNs must be specified with a trailing dot (as documented to
stop the use of search lists)"?
You'd better test that thoroughly. Firefox still doesn't get the TLS host
header right, and Apache doesn't toss its
The following is not specific to BIND, but concerns the operating
environment for DNS software. Ebersman in a later post links to a document
which foreshadows what I'm about to discuss.
On Mon, 30 Sep 2019, Petr Mensik wrote:
[...]
I am aware search is a no-no in DNS community.
That's
Clarification on what DNS is...
On Sun, 25 Aug 2019, m3047 wrote:
On Sat, 24 Aug 2019, J Doe wrote:
[...] Is it possible to re-write a response on a reverse lookup ? For
instance, if I considered example.com a “bad domain”, can I write a RPZ
policy so that a reverse lookup of IP’s that map
Yes. See below.
Another respondent expresses concerns about the danger of IP address
blocking. The RPZ implementation (in BIND) includes options for setting
triggers on the address returned with A and RRs (rpz-ip) and
nameserver address (nsip). These kinds of actions are functionally
Hi,
I would think declaring SPF as you say is the right course of action.
I would consider setting up DMARC as well. Whether it's your intention or
not, if you set up DMARC (a way for people to report mail claiming to be
from you) you've essentially created a honey pot; maybe somebody will be
IN A
;; ANSWER SECTION:
WALDO.BONSI.ORG.5 IN A 10.9.8.7
;; ADDITIONAL SECTION:
whitelist.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
364 600 60 86400 600
;; Query time: 7 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Fri Aug 16 09:57:26 2019
;; MSG
will happen to
services restricted by FQDN when you do so. DAMHIK!
--
Fred Morris
m3...@m3047.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Fri, 12 Jul 2019, Lefteris Tsintjelis via bind-users wrote:
I believe most modern firewalls allow them now days and the speeds are pretty
huge for such packets so I guess fragmentation by itself may not be as
noticeable, but everything all together adds up, and I mean including DNSSEC
and
Almost my point. It comes to my attention the hard way, that MDNS is
enabled by default or by accident in some Linux distros. Check
/etc/nsswitch.conf. Let us know what you find, and thanks a lot!
Longer answer: it depends on whether MDNS is in nsswitch, and what the
ordering is.
--
Fred
12 matches
Mail list logo