For reference: BIND 9.9.4-P1 CentOS 6.4 64bit arch We use RPZ to CNAME all of the “bad” domains over to a catch-all type server that can display a message to the user. Until recently it has been working perfectly (or we thought it was :-P ).
The problem: RPZ appears to have stopped working properly about a month ago and we didn’t notice it until a domain we specifically added kept resolving. After doing some spot checking, a large portion of the domains in the RPZ zone work as expected. However, some of them are still getting recursively resolved. I’m at a complete loss as to why this is happening. We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an attempt to fix it, with no luck. I’ve flushed the cache on all of our servers, I’ve restarted the service on all of our servers. I’ve not restarted the actual servers, but I don’t think that would get us anywhere. Here are some examples (note that NXDOMAIN responses are due to IDS blocking the resolution): $ host ads5.woamobile.com ads5.woamobile.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host WhateverIWantToPutHere.ads5.woamobile.com WhateverIWantToPutHere.ads5.woamobile.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host adsafeprotected.com Host adsafeprotected.com not found: 3(NXDOMAIN) $ host WhateverIWantToPutHere.adsafeprotected.com WhateverIWantToPutHere.adsafeprotected.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host conduit-services.com conduit-services.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host asdfasdf.conduit-services.com asdfasdf.conduit-services.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host sp-translation.conduit-services.com Host sp-translation.conduit-services.com not found: 3(NXDOMAIN) And here is what’s in the zone file: ads5.woamobile.com IN CNAME catchall.utc.edu. *.ads5.woamobile.com IN CNAME catchall.utc.edu. adsafeprotected.com IN CNAME catchall.utc.edu. *.adsafeprotected.com IN CNAME catchall.utc.edu. conduit-services.com IN CNAME catchall.utc.edu. *.conduit-services.com IN CNAME catchall.utc.edu. I can provide other information as needed. Does anyone have any experience with RPZ and have a clue why it seems to be selectively resolving records? -Christopher
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
