Lee, thanks for your quick answer. I applied the policy based on rpz-nsip trigger instead of mg.gov.br QNAME because of some others situations in my environment. Like I said earlier, the doubt is why when there's no forward zone the trigger works properly? In my opinion it should'nt have different behaviour just because of forward zone, at least I can't imagine why this is happening. The Bind version deployed is 9.11.4, I was imagining It could be a bug, and It seems bind 9.12 version has a fix related to this problem, but I'm not sure.
thanks one more time. Miguel Moreira Gerente DPR/SRE/GSR - Gerência de Serviços de Rede +55(31)3339-1401 PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais Aviso: Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação sigilosa e legalmente protegida. O uso impróprio será tratado conforme as normas da empresa e a legislação em vigor. Caso não seja o destinatário, favor notificar o remetente, ficando proibidas a utilização, divulgação, cópia e distribuição. Em Segunda, Março 25, 2019 18:37 -03, Lee <ler...@gmail.com> escreveu:On 3/25/19, Miguel Mucio Santos Moreira wrote: > > Hello everybody! Hi! > I have a problem with DNS-RPZ and forward zone working together. > I've created a rpz zone with the following trigger on my recursive DNS > Server: > 18.0.0.198.200.rpz-nsip IN CNAME rpz-passthru. Which means anybody can answer with a 200.198.0.0/18 address and it will be accepted. .. probably not what you want. > It means any query response comming from a DNS Server which IP address > matching with the any IP address at entire CIDR block 200.198.0.0/18 will be > answered with rpz-passthru > It works perfectly for any domain hosted in my Authoritative DNS Servers. > But when I apply on my recursive RPZ DNS Server a forward zone for those > domains hosted on my Authoritative DNS Servers the problems appear and it is > very weird. > > I have a mg.gov.br domain I'd go with mg.gov.br IN CNAME rpz-passthru. -- it's your domain so hopefully you can trust whatever answers it gives 18.0.0.198.200.rpz-nsip IN CNAME . -- nobody else gets to answer with your address space Regards, Lee > and its NS Servers are zeus.prodemge.gov.br > (200.198.5.13), titanio.prodemge.gov.br (200.198.5.5), tupan.prodemge.gov.br > (200.198.4.4) and jupiter.prodemge.gov.br (200.198.5.2). > If I perform a dig at my workstation using Recursive DNS with RPZ looking > for any record in mg.gov.br domain, rpz-passthru policy is not applied, > however if I perform a dig looking for any record in prodemge.gov.br domain > and after that I perform the same dig before it works properly. > > > Note: Recursive DNS Servers and Authoritative DNS Servers are not the same. > > As workaround solution I applied 4 rpz-nsdname triggers above that one > mentioned in the begining this email with my authoritative name servers with > rpz-passthru policy. > titanio.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. > jupiter.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. > tupan.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. > zeus.prodemge.gov.br.rpz-nsdname IN CNAME rpz-passthru. > > I would like to understand why it didn't work without workaround solution, > anyone has any idea about it? > > Thanks in advance > -- > > Miguel Moreira > Gerente > DPR/SRE/GSR - Gerência de Serviços de Rede > +55(31)3339-1401 > PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais > > > Aviso: Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é > dirigida, podendo conter informação sigilosa e legalmente protegida. O uso > impróprio será tratado conforme as normas da empresa e a legislação em > vigor. Caso não seja o destinatário, favor notificar o remetente, ficando > proibidas a utilização, divulgação, cópia e distribuição. >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
