Re: BIND RPZ is not blocking A record

Fri, 15 Nov 2024 19:25:36 -0800 

Where is that exactly to be added? I added in response-policy
statement then I tired adding in options stanza but rndc fails
everytime.

On Fri, Nov 15, 2024 at 6:35 PM Blason R <blaso...@gmail.com> wrote:
>
> Hmmm - Ok let me try doing that.  Thanks for letting me know
>
> On Fri, Nov 15, 2024 at 3:43 PM Lee <ler...@gmail.com> wrote:
> >
> > On Thu, Nov 14, 2024 at 1:48 AM Blason R wrote:
> > >
> > > Hello Team,
> > >
> > > I am encountering an unusual problem. I am using BIND version BIND
> > > 9.18.19-1+ubuntu22.04.1+isc+1-Ubuntu and have configured BIND RPZ. My
> > > objective is to block access to app.hubspot.com, for which I have
> > > established a zone.
> > >
> > > response-policy {
> > > zone "custom.block";
> > > ...
> > > ..
> > > }
> >
> > Try adding
> >
> >      break-dnssec yes
> >      recursive-only no
> >      qname-wait-recurse no;
> >
> > after the closing }
> >
> > > zone "custom.block" { type master; file 
> > > "/var/lib/bind/zones/custom.block.db";};
> > >
> > > And here is zone file
> > >
> > > $TTL 180
> > > @               IN      SOA     ns1.custom.block. ns1.custom.block.
> > > ( 2006060301 21600 3600 604800 3600 )
> >
> > I get an error - the left paren needs to be on the SOA line
> >
> > >             IN  NS    ns1.custom.block.
> >
> > try it with localhost.
> >
> > > ns1.custom.block.       IN  A   172.1.xx.xx
> > > wg.custom.block.        IN  A   172.1.xx.xx
> > > app.hubspot.com        CNAME   wg.custom.block.
> >
> > and remove the trailing periods.
> >
> > $ cat db.custom.block
> > $TTL 180
> > @       IN      SOA     localhost.  ns1.custom.block. (
> >         2006060301 21600 3600 604800 3600 )
> >         IN  NS    localhost.
> >
> > wg.custom.block        IN  A   172.19.2.3
> > app.hubspot.com        CNAME   wg.custom.block
> >
> >
> > >
> > > and then I have forwarders set forwarders {
> > >          1.1.1.1;9.9.9.9;
> > >              };
> > >
> > > and unfortunately this setup is not working for only this entry I
> > > tried capturing a packet and I see the packets are directly being
> > > forwarded to forwarders not sure why?
> >
> > Maybe because you're missing "qname-wait-recurse no" on the
> > response-policy stanza?
> > Or maybe because something else.. I do too much cargo-culting with bind :(
> >
> > In any case:
> >
> > $ dig app.hubspot.com
> >
> > ; <<>> DiG 9.16.50-Debian <<>> app.hubspot.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59928
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 1432
> > ; COOKIE: 06ad2d9bbff3719e0100000067371d9e67f1acf5b18ff038 (good)
> > ;; QUESTION SECTION:
> > ;app.hubspot.com.               IN      A
> >
> > ;; ANSWER SECTION:
> > app.hubspot.com.        5       IN      CNAME   
> > wg.custom.block.custom.block.
> > wg.custom.block.custom.block. 180 IN    A       172.19.2.3
> >
> >
> > Regards,
> > Lee
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to