RPZ seems to be hit and miss
For reference: BIND 9.9.4-P1 CentOS 6.4 64bit arch We use RPZ to CNAME all of the “bad” domains over to a catch-all type server that can display a message to the user. Until recently it has been working perfectly (or we thought it was :-P ). The problem: RPZ appears to have stopped working properly about a month ago and we didn’t notice it until a domain we specifically added kept resolving. After doing some spot checking, a large portion of the domains in the RPZ zone work as expected. However, some of them are still getting recursively resolved. I’m at a complete loss as to why this is happening. We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an attempt to fix it, with no luck. I’ve flushed the cache on all of our servers, I’ve restarted the service on all of our servers. I’ve not restarted the actual servers, but I don’t think that would get us anywhere. Here are some examples (note that NXDOMAIN responses are due to IDS blocking the resolution): $ host ads5.woamobile.com ads5.woamobile.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host WhateverIWantToPutHere.ads5.woamobile.com WhateverIWantToPutHere.ads5.woamobile.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host adsafeprotected.com Host adsafeprotected.com not found: 3(NXDOMAIN) $ host WhateverIWantToPutHere.adsafeprotected.com WhateverIWantToPutHere.adsafeprotected.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host conduit-services.com conduit-services.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host asdfasdf.conduit-services.com asdfasdf.conduit-services.com is an alias for catchall.utc.edu. catchall.utc.edu has address 192.168.56.23 $ host sp-translation.conduit-services.com Host sp-translation.conduit-services.com not found: 3(NXDOMAIN) And here is what’s in the zone file: ads5.woamobile.com IN CNAME catchall.utc.edu. *.ads5.woamobile.comIN CNAME catchall.utc.edu. adsafeprotected.com IN CNAME catchall.utc.edu. *.adsafeprotected.com IN CNAME catchall.utc.edu. conduit-services.comIN CNAME catchall.utc.edu. *.conduit-services.com IN CNAME catchall.utc.edu. I can provide other information as needed. Does anyone have any experience with RPZ and have a clue why it seems to be selectively resolving records? -Christopher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Sites that points their A Record to localhost
I have an issue happening here. I actually do have a vague idea what it is but I am not real sure how is happening and how to avoid it. I was doing a research the other day and landed on this domain; p3net.net I found a little strange when I logged into this domain because rather than seeing their website, I am seeing our main website page. Then, I performed a dig on their domain and got this output: ; <<>> DiG 0.0.0 <<>> p3net.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;p3net.net. IN A ;; ANSWER SECTION: p3net.net. 7075 IN A 127.0.0.1 ;; AUTHORITY SECTION: p3net.net. 172672 IN NS dns1.namesecure.com. p3net.net. 172672 IN NS dns2.namesecure.com. ;; ADDITIONAL SECTION: dns1.namesecure.com. 172 IN A 205.178.190.56 dns2.namesecure.com. 174 IN A 206.188.198.56 It seems like they have their domain configuration A Record pointed to the localhost. We all know that the localhost is not routable outside of the internet. Therefore I am sure their website cannot resolve out of the 127.0.0.1. In addition to that, it is possible that this is happening only here because of the way our Server configuration is setup in the OS X to bring the resolver to the localhost first before it can go out to the distributed domains/websites through the Apache conf. In my name configuration I have everything going to their respective internal non-routable separated ip addresses and localhost resolve to localhost only. I do not have any domain or website pointing to the localhost directly on my name conf. Every website point to their respective internal ip addresses only. Ps: (If the information I am giving appears to be too vague and you need any specific information, please, ask!) Thanks! Eduardo -- Eduardo Bonsi System Admin beart...@pacbell.net___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ seems to be hit and miss
On Jan 10, 2014, at 1:32 PM, Howard, Christopher Bryan wrote: > For reference: > BIND 9.9.4-P1 > CentOS 6.4 > 64bit arch > > We use RPZ to CNAME all of the “bad” domains over to a catch-all type server > that can display a message to the user. Until recently it has been working > perfectly (or we thought it was :-P ). > > The problem: > RPZ appears to have stopped working properly about a month ago and we didn’t > notice it until a domain we specifically added kept resolving. After doing > some spot checking, a large portion of the domains in the RPZ zone work as > expected. However, some of them are still getting recursively resolved. I’m > at a complete loss as to why this is happening. > > We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an attempt to > fix it, with no luck. I’ve flushed the cache on all of our servers, I’ve > restarted the service on all of our servers. I’ve not restarted the actual > servers, but I don’t think that would get us anywhere. Did you accidentally move from RPZ 2 (via patches) to RPZ 1 (included in BIND)? I shot myself in the foot with this… AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On Jan 10, 2014, at 3:01 PM, Eduardo Bonsi wrote: > I have an issue happening here. I actually do have a vague idea what it is > but I am not real sure how is happening and how to avoid it. I was doing a > research the other day and landed on this domain; > > p3net.net Yes, it seems that they have an A record for that label that provides the IP address 127.0.0.1. You probably want to ask the owner of the zone about this, as I’m not sure what the community can do about it. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On 2014-01-10 12:25, Alan Clegg wrote: On Jan 10, 2014, at 3:01 PM, Eduardo Bonsi wrote: I have an issue happening here. I actually do have a vague idea what it is but I am not real sure how is happening and how to avoid it. I was doing a research the other day and landed on this domain; p3net.net Yes, it seems that they have an A record for that label that provides the IP address 127.0.0.1. You probably want to ask the owner of the zone about this, as I’m not sure what the community can do about it. unbound, for example, has an option to discard replies that include non-routable IP addresses outside of expected/predictable locations. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
From: Alan Clegg > Yes, it seems that they have an A record for that label that > provides the IP address 127.0.0.1. > > You probably want to ask the owner of the zone about this, as I?m > not sure what the community can do about it. They have an MX record, so perhaps the domain is only intended for email. # host p3net.net p3net.net has address 127.0.0.1 p3net.net mail is handled by 10 aspmx.l.google.com. Although, they should have more MX records if using google. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On 2014-01-10 12:36, wbr...@e1b.org wrote: From: Alan Clegg Yes, it seems that they have an A record for that label that provides the IP address 127.0.0.1. You probably want to ask the owner of the zone about this, as I?m not sure what the community can do about it. They have an MX record, so perhaps the domain is only intended for email. # host p3net.net p3net.net has address 127.0.0.1 p3net.net mail is handled by 10 aspmx.l.google.com. Although, they should have more MX records if using google. And less A records if they don't intend to do anything but email. But it's an imperfect world. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ seems to be hit and miss
I¹ve just been using the RPZ built into BIND. I don¹t think I was aware of RPZ 2. -Christopher On 1/10/14, 3:23 PM, "Alan Clegg" wrote: > >On Jan 10, 2014, at 1:32 PM, Howard, Christopher Bryan > wrote: > >> For reference: >> BIND 9.9.4-P1 >> CentOS 6.4 >> 64bit arch >> >> We use RPZ to CNAME all of the ³bad² domains over to a catch-all type >>server that can display a message to the user. Until recently it has >>been working perfectly (or we thought it was :-P ). >> >> The problem: >> RPZ appears to have stopped working properly about a month ago and we >>didn¹t notice it until a domain we specifically added kept resolving. >>After doing some spot checking, a large portion of the domains in the >>RPZ zone work as expected. However, some of them are still getting >>recursively resolved. I¹m at a complete loss as to why this is >>happening. >> >> We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an >>attempt to fix it, with no luck. I¹ve flushed the cache on all of our >>servers, I¹ve restarted the service on all of our servers. I¹ve not >>restarted the actual servers, but I don¹t think that would get us >>anywhere. > >Did you accidentally move from RPZ 2 (via patches) to RPZ 1 (included in >BIND)? > >I shot myself in the foot with thisŠ > >AlanC >-- >Alan Clegg | +1-919-355-8851 | a...@clegg.com > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
-Original Message- From: Dave Warren Date: Friday, January 10, 2014 at 15:47 To: Bind Users Subject: Re: Sites that points their A Record to localhost >On 2014-01-10 12:36, wbr...@e1b.org wrote: >> From: Alan Clegg >>> Yes, it seems that they have an A record for that label that >>> provides the IP address 127.0.0.1. >>> >>> You probably want to ask the owner of the zone about this, as I?m >>> not sure what the community can do about it. >> They have an MX record, so perhaps the domain is only intended for >>email. >> >> # host p3net.net >> p3net.net has address 127.0.0.1 >> p3net.net mail is handled by 10 aspmx.l.google.com. >> >> Although, they should have more MX records if using google. > >And less A records if they don't intend to do anything but email. But >it's an imperfect world. > >-- >Dave Warren >http://www.hireahit.com/ >http://ca.linkedin.com/in/davejwarren Isn¹t there a ³rule² (note lower case) that says ŒZones _should_ have an A record. CNAMEs _should_not_ point to CNAMES.¹ Things that work, but shouldn¹t. I may be wrong on the rules, I can¹t find my reference. -- Hal King - h...@utk.edu Systems Administrator Office of Information Technology Shared Systems Services The University of Tennessee 103C5 Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
Thanks everyone for the input on this matter! Dave Warren said: >...And less A records if they don't intend to do anything but email. But >it's an imperfect world. No doubt it is! Like I said, it is not a big deal! Is not that people are able to re-route anything. That just happens because my resolver is pointed to the internal localhost first. No one in the internet can see my website pointed to his localhost and resolve to his domain. I can see that because when I log to his domain, it goes to my internal resolver and appears that I am logged to his domain and after that I am starting to see my website being served from there. I know how it is happening and my concern was if that could generate any technical or security problems on my site. Eduardo -- Eduardo Bonsi System Admin beart...@pacbell.net From: Dave Warren To: bind-users@lists.isc.org Sent: Friday, January 10, 2014 12:47 PM Subject: Re: Sites that points their A Record to localhost On 2014-01-10 12:36, wbr...@e1b.org wrote: > From: Alan Clegg >> Yes, it seems that they have an A record for that label that >> provides the IP address 127.0.0.1. >> >> You probably want to ask the owner of the zone about this, as I?m >> not sure what the community can do about it. > They have an MX record, so perhaps the domain is only intended for email. > > # host p3net.net > p3net.net has address 127.0.0.1 > p3net.net mail is handled by 10 aspmx.l.google.com. > > Although, they should have more MX records if using google. And less A records if they don't intend to do anything but email. But it's an imperfect world. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On 01/10, Eduardo Bonsi wrote: > I know how it is happening and my concern was if that could generate > any technical or security problems on my site. no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On 2014-01-10 15:01, Eduardo Bonsi wrote: ... It seems like they have their domain configuration A Record pointed to the localhost. We all know that the localhost is not routable outside of the internet. Therefore I am sure their website cannot resolve out of the 127.0.0.1. In addition to that, it is possible that this is happening only here because of the way our Server configuration is setup in the OS X to bring the resolver to the localhost first before it can go out to the distributed domains/websites through the Apache conf. ... There seems to be a pile of misconceptions here. (1) There is no requirement at all that a domain name have an A record. It does not have to resolve to an IP address at all. It only has to have an SOA record and an NS record (preferably more than one); and not even that, if it is a subdomain that is not a separate zone. (2) There is no requirement that a domain name refer to the Web site for that domain. I personally don't like that (for no special reason), and neither apparently does the owner of this domain, who forces people to go to the trouble of typing in www.p3net.net to get to his or her Web site. Incidentally, there is no requirement that the domain name refer to a mail server, either (which used to be common before the Web existed), or to an FTP server, or to a Telnet server, or to a nuclear reactor control device. Or to anything. (3) However, any name MAY resolve to any IP address, routable or not. That doesn't mean there's anything useful, or even related to that domain, at that IP address. (4) "127.0.0.1" is the IP equivalent of the English language word "me". If I say, "me", I am referring to myself. If you say, "me", you are referring to yourself. It cannot be used to direct anyone to somewhere else. In fact, some use it to deflect probers AWAY from themselves, and back on the prober's own server. (E.g., if I wanted to probe "p3net.net", my server would be probing itself!) (5) 127.0.0.1 is not among the IP addresses mislabeled as "unroutable". It is always routable. To right here. Well, for you, right there. (6) Just because OS X has 127.0.0.1 as the resolver has no effect on what that resolver returns. Don't confuse the concepts. I think there were some others, but it's getting late. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
