Pretty much a precise use case for RPZ (Response Policy Zones). Google it
or search the BIND docs for RPZ.
On Sun, Jun 18, 2023 at 8:37 PM public1020 via bind-users <
bind-users@lists.isc.org> wrote:
> I need to hijack certain domains and not its subdomains, so I use dnsmasq
> to achieve it:
>
>
Hello Thank you for your feedback,
yes it works like that! for that does not work for a domain name that already
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN"
like this domain name "antlauncher.com"
regards Rahal
-Message d'origine-
De : bind-users De
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my
resolvers and there are no errors of type "SERVFAIL" currently for valid domain
names but I receive servfail for this domain name "antlauncher.com" that's why
I wanted to change the return code for this domain
Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because
it cached it). It is a positive confirmation that "this name does not
exist". It means that the QNAME in the query cannot be found, for any
record type.
SERVFAIL is a response from
That's because this domain is broken. The NS for it are:
antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26)
antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and
claim not to be
On 6/19/23, sami.rahal wrote:
> Thank you Greg
>
> I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it
> not working
You're missing "break-dnssec yes" on your response-policy stanza?
You need something like
response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "antlauncher.com" doesn't is down
> to
Thank you Greg
I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it not
working
I use CentOS7 with BIND9.16.41
grep antlauncher db.rpz
antlauncher.com CNAME .
*.antlauncher.com CNAME .
grep example db.rpz
example.com
Thank you Greg
So if I understand correctly if we receive a servfail return code we can not
modify this code by nxdomain with the rpz configuration?
Regards
De : Greg Choules
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL"
Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
it's not something I would do.
Cheers, Greg
On Mon, 19 Jun 2023 at 12:40, wrote:
> Thank you Greg
>
> So if I understand correctly if we receive a servfail return code we can
> not
10 matches
Mail list logo
