On Fri, Aug 10, 2018 at 10:53 PM Blason R <blaso...@gmail.com> wrote:
> Infact what I observed that the intermediate DNS servers are not > forwarding he queries for .com and .net servers to my RPZ servers and it > tries resolves directly on his own from TLD servers > You need to work on the intermediate server to get it to forward. If it is running Microsoft DNS, then I don't know enough to help you with that. I would suggest that you have the RPZ server be a 'slave' for the 'test.com' zone (and all the zones that the AUTH server has). Then point users directly at the RPZ server. -- Bob Harold > 192.168.3.72 End User > 192.168.3.15 [AUTH Server for test.com] and has forwarder to > 192.168.3.44 [RPZ] > > So, 3.15 should only resolve for test.com else all queries should be > forwarded to 192.168.3.44 > > *Which is not happening.* > > dig 003bbhq9.com > > ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;003bbhq9.com. IN A > > *;; AUTHORITY SECTION:* > *com. 530 IN SOA a.gtld-servers.net > <http://a.gtld-servers.net>. nstld.verisign-grs.com > <http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400* > > ;; Query time: 0 msec > ;; SERVER: 192.168.3.15#53(192.168.3.15) > ;; WHEN: Sat Aug 11 08:12:17 IST 2018 > ;; MSG SIZE rcvd: 114 > > > On Sat, Aug 11, 2018 at 7:57 AM Blason R <blaso...@gmail.com> wrote: > >> Ok - Now I added like this and it disappeared. >> >> response-policy { zone "whitelist.allow" policy passthru; >> zone "malware.trap"; >> zone "ransomwareips.block"; } qname-wait-recurse >> no break-dnssec no; >> >> >> On Sat, Aug 11, 2018 at 7:51 AM Blason R <blaso...@gmail.com> wrote: >> >>> This is not accepting and giving my syntax error. >>> >>> named-checkconf /etc/bind/named.conf >>> /etc/bind/named.conf.options:29: syntax error near '}' >>> >>> >>> And here is I added >>> >>> response-policy { zone "whitelist.allow" policy passthru; >>> zone "malware.trap"; >>> zone "ransomwareips.block"; } qname-wait-recurse >>> no break-dnssec no; }; >>> >>> >>> >>> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <c...@byington.org> wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA512 >>>> >>>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: >>>> > Nah I dont think that is the answer since you need a termination after >>>> > clause. >>>> >>>> Did you actually try the answer below? >>>> >>>> >>>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <pvm_...@mail.ru> >>>> wrote: >>>> >>>> > Should be: >>>> >>>> >>>> > response-policy {zone "whitelist.allow" policy passthru; >>>> > zone "malware.trap"; >>>> > zone "ransomwareips.block"; >>>> > } qname-wait-recurse no break-dnssec no; >>>> >>>>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
