I have not yet received an answer to my query. It appears that when using
RPZ to return bogus addresses it will respond to queries for CNAME, MX, and
SRV records. However, if the target name of those records is expected to
resolve outside of RPZ, then the name needs to be terminated with a period
(normal FQDN). If the target name is in RPZ it should not be terminated
with a period. Apparently when doing the recursion required to resolve the
target names, bind doesn't use RPZ. Is this the correct behaviour? Details
are in my previous posts.
Regards,
Bob
On Thu, Apr 16, 2015 at 2:07 PM, Bob McDonald <bmcdonal...@gmail.com> wrote:
> Requested information:
>
> options {
> directory "/opt/incontrol/dns/db";
> allow-query { 127.0.0.1; rfc1918-nets; };
> also-notify { 172.26.100.10 port 5053 ; 172.26.100.11 ; };
> listen-on { 127.0.0.1; };
> listen-on { 172.26.99.160; };
> listen-on-v6 { none; };
> masterfile-format text;
> empty-zones-enable no;
> notify-source 172.26.99.160 ;
> version none;
> server-id hostname ;
> query-source address 172.26.99.160 ;
> forward only ;
> forwarders { 172.26.1.9; 172.26.1.12; };
> allow-notify { any ; };
> allow-transfer { any; };
> allow-update { any ; };
> response-policy { zone "rpz-zone01"policy given max-policy-ttl 28800 ;
> zone "rpz-zone02"policy given max-policy-ttl 28800
> ; };
> notify explicit ;
> transfer-source 172.26.99.160 ;
> check-names master warn ;
> check-names slave warn ;
> pid-file "/opt/incontrol/etc/named.pid";
> };
> zone "rpz-zone01" {
> type master;
> file "db.rpz-zone01";
> forwarders { };
> };
>
> zone "rpz-zone02" {
> type master;
> file "db.rpz-zone02";
> forwarders { };
> };
>
> $TTL 28800
>
> @ IN SOA sapphire-x5-agent.pcn.local. hostmaster.pcn-inc.com. (
> 9 ; Serial
> 86400 ; Refresh
> 900 ; Retry
> 3600000 ; Expire
> 300 ) ; Negative cache TTL
>
> ;-----------------------------
> ; NS Records
> ;-----------------------------
> NS sapphire-x5-agent.pcn.local.
> NS sapphire-agent-00.pcn.local.
> sapphire-x5-agent.pcn.local. IN A 172.26.99.160
> sapphire-agent-00.pcn.local. IN A 172.26.100.11
>
> ;-----------------------------
> ; Resource Records for rpz-zone02.
> ;-----------------------------
> $ORIGIN rpz-zone02.
> $TTL 28800
>
> www.arqiva.com 28800 IN CNAME www.arqiva-integration.com.
> www.arqiva-integration.com 28800 IN A 83.138.41.100
>
>
> Let me know what else you need.
>
> Regards,
>
> Bob
>
>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
