I'm attempting to set up a response policy zone on a pair of forwarders
running BIND, version 9.8.1 on the master for the zone, and version 9.9.5
on the slave.

The forwarding requests are coming from a pair of Microsoft DNS servers,
running Server 2012.

If the Microsoft DNS server is configured to forward to the master, the
clients get the correct responses, e.g. "evil.example.com" resolves to
127.0.0.1, just as I have it set up in the zone file for the RPZ. However,
if the Microsoft DNS server is configured to use the slave server as a
forwarder, the client gets an NXDOMAIN response.

Clients that query the BIND servers (master or slave) directly get the
correct 127.0.0.1 response.

I've confirmed that changing the slave into a master for the RPZ fixes the
problem.

It seems like the Microsoft DNS servers for some reason don't regard the
BIND server configured as a slave as authoritative, but I'm not sure why
that might be.

Any thoughts?

--
Brock Sides
philar...@gmail.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to