Re: Internal CNAME in RPZ

[m3047]

Hello...

On Wed, 23 Oct 2019, Andrey Geyn wrote:
[...]
I don't understand why your tests for "cname.example.com" and 
"cname.test.m3047.net" differ
(first one returns only 
CNAME.EXAMPLE.COM.	5	IN	CNAME	TEST.EXAMPLE.COM.

I didn't understand this as well. Is it something about caching perhaps? I 
thought perhaps example.com, being well-known, was somehow confounding the 
results.

second one returns two RRs:
CNAME.TEST.M3047.NET.   5       IN      CNAME   ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET.  7200    IN      A       209.221.140.128)

Notwithstanding that this is WRONG, because actual.test.m3047.net is in 
the RPZ, it did try to follow the CNAME chain it just failed to apply the 
policy to the A record. However querying the RPZ explicitly:

CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10

would /appear/ to be retrieving the result for the CNAME from the RPZ as a 
regular zone not a policy zone, as intended, but then subjects the A 
record to the RPZ policy!

23.10.2019, 21:49, "m3047" <m3...@m3047.net>:
[...]
# dig cname.example.com

; <<>> DiG 9.8.3-P1 <<>> cname.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com. IN A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM.

;; AUTHORITY SECTION:
EXAMPLE.COM. 3600 IN SOA ns.icann.org.
noc.dns.icann.org. 2019101506 7200 3600 1209600 3600

;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600

;; Query time: 1142 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:03:34 2019
;; MSG SIZE rcvd: 209

# dig test.example.com

; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.example.com. IN A

;; ANSWER SECTION:
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600

;; Query time: 10 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:04:38 2019
;; MSG SIZE rcvd: 162

# dig cname.example.com.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.example.com.rpz1.m3047.net. IN A

;; ANSWER SECTION:
CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM.
TEST.EXAMPLE.COM. 5 IN A 10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
260 600 60 86400 600

;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:07:46 2019
;; MSG SIZE rcvd: 224

Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
 from socket import getaddrinfo
 getaddrinfo('cname.example.com',80)

[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]

# net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net.
# net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10

Note that *.m3047.net is wildcarded.

# dig cname.test.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;cname.test.m3047.net. IN A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128

;; AUTHORITY SECTION:
m3047.net. 7200 IN NS dns1.encirca.net.
m3047.net. 7200 IN NS dns2.encirca.net.

;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
262 600 60 86400 600
dns1.encirca.net. 97039 IN A 108.166.170.106
dns2.encirca.net. 97039 IN A 64.62.200.132

;; Query time: 178 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:25:08 2019
;; MSG SIZE rcvd: 249

Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
 from socket import getaddrinfo
 getaddrinfo('cname.test.m3047.net',80)

[(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '',
('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))]

# dig cname.test.m3047.net.rpz1.m3047.net

; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;cname.test.m3047.net.rpz1.m3047.net. IN A

;; ANSWER SECTION:
CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET.
ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10

;; AUTHORITY SECTION:
rpz1.m3047.net. 900 IN NS LOCALHOST.

;; ADDITIONAL SECTION:
rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET.
262 600 60 86400 600

;; Query time: 8 msec
;; SERVER: 10.0.0.220#53(10.0.0.220)
;; WHEN: Wed Oct 23 09:41:29 2019
;; MSG SIZE rcvd: 235
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users