Hello everybody! I have a problem with DNS-RPZ and forward zone working together. I've created a rpz zone with the following trigger on my recursive DNS Server: 18.0.0.198.200.rpz-nsip IN CNAME rpz-passthru.
It means any query response comming from a DNS Server which IP address matching with the any IP address at entire CIDR block 200.198.0.0/18 will be answered with rpz-passthru It works perfectly for any domain hosted in my Authoritative DNS Servers. But when I apply on my recursive RPZ DNS Server a forward zone for those domains hosted on my Authoritative DNS Servers the problems appear and it is very weird. I have a mg.gov.br domain and its NS Servers are zeus.prodemge.gov.br (200.198.5.13), titanio.prodemge.gov.br (200.198.5.5), tupan.prodemge.gov.br (200.198.4.4) and jupiter.prodemge.gov.br (200.198.5.2). If I perform a dig at my workstation using Recursive DNS with RPZ looking for any record in mg.gov.br domain, rpz-passthru policy is not applied, however if I perform a dig looking for any record in prodemge.gov.br domain and after that I perform the same dig before it works properly. Note: Recursive DNS Servers and Authoritative DNS Servers are not the same. As workaround solution I applied 4 rpz-nsdname triggers above that one mentioned in the begining this email with my authoritative name servers with rpz-passthru policy. titanio.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. jupiter.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. tupan.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. zeus.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. I would like to understand why it didn't work without workaround solution, anyone has any idea about it? Thanks in advance -- Miguel Moreira Gerente DPR/SRE/GSR - Gerência de Serviços de Rede +55(31)3339-1401 PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais Aviso: Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação sigilosa e legalmente protegida. O uso impróprio será tratado conforme as normas da empresa e a legislação em vigor. Caso não seja o destinatário, favor notificar o remetente, ficando proibidas a utilização, divulgação, cópia e distribuição.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
