Need help on RPZ sever, bit urgent

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Need help on RPZ sever, bit urgent

blason16
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)


On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Sam Wilson
In reply to this post by blason16
On 2018-08-09 14:00:55 +0000, Blason R said:

> For example this one.
>
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> 0351dag.com. (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> NXDomain 0/1/0 (102)

$ dig 0351dag.com

; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;0351dag.com. IN A

;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com.
1533828275 1800 900 604800 86400

Sam

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Is it a big?? I mean certain domains from my rpz feeds are properly getting resolved while few are giving nxdomain though they appear in zone.

On Thu, Aug 9, 2018, 8:57 PM Sam Wilson <[hidden email]> wrote:
On 2018-08-09 14:00:55 +0000, Blason R said:

> For example this one.
>
> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> 0351dag.com. (29)
> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> NXDomain 0/1/0 (102)

$ dig 0351dag.com

; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;0351dag.com.                   IN      A

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com.
1533828275 1800 900 604800 86400

Sam

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Bob Harold
In reply to this post by blason16

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Hi there,

Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error.

    response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
                                };
qname-wait-recurse no;
break-dnssec no;


On Fri, Aug 10, 2018 at 8:09 AM Blason R <[hidden email]> wrote:
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
This is the error I am getting

/etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'

On Fri, Aug 10, 2018 at 9:10 AM Blason R <[hidden email]> wrote:
Hi there,

Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error.

    response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
                                };
qname-wait-recurse no;
break-dnssec no;


On Fri, Aug 10, 2018 at 8:09 AM Blason R <[hidden email]> wrote:
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Bind-Users forum mailing list
Should be:

response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;

Vadim
On 09 Aug 2018, at 20:50, Blason R <[hidden email]> wrote:

This is the error I am getting

/etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'

On Fri, Aug 10, 2018 at 9:10 AM Blason R <[hidden email]> wrote:
Hi there,

Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error.

    response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
                                };
qname-wait-recurse no;
break-dnssec no;


On Fri, Aug 10, 2018 at 8:09 AM Blason R <[hidden email]> wrote:
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Nah I dont think that is the answer since you need a termination after clause.


Thanks and Regards,
Lionel F

On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:
Should be:

response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;

Vadim
On 09 Aug 2018, at 20:50, Blason R <[hidden email]> wrote:

This is the error I am getting

/etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'

On Fri, Aug 10, 2018 at 9:10 AM Blason R <[hidden email]> wrote:
Hi there,

Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error.

    response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
                                };
qname-wait-recurse no;
break-dnssec no;


On Fri, Aug 10, 2018 at 8:09 AM Blason R <[hidden email]> wrote:
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Hello All,

I have been debugging my issue from last 30+ hrs without luck and dang its something related to forwarding. Again here is my quick scenario

I have Windows DNS Server 192.168.1.42 Has Forwarder set to 192.168.1.179 [BIND/RPZ]

Now certain domains when queried from end user e.g 192.168.1.100 has DNS set to  192.168.1.42 does not get resolved at all. While I troubleshooting I observed that may be 192.168.1.42 has got root zone "." and is trying to resolve locally instead of forwarding. I noticed this issue is happening randomly with any domains but mostly it observed for .com and .net domain entries.

Again I tried replacing 192.168.1.42 with Linux BIND server and its same behavior so I don't think its related with Windows. 

I want all other queries should strictly forward to my RPZ forwarding server. How do I do that can someone help me in troubleshooting? I can provide the logs and config.

Or if someone has a similar setup can try simulating at their end and confirm, plz?



On Fri, Aug 10, 2018 at 1:17 PM Blason R <[hidden email]> wrote:
Nah I dont think that is the answer since you need a termination after clause.


Thanks and Regards,
Lionel F

On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:
Should be:

response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
} qname-wait-recurse no break-dnssec no;

Vadim
On 09 Aug 2018, at 20:50, Blason R <[hidden email]> wrote:

This is the error I am getting

/etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse'

On Fri, Aug 10, 2018 at 9:10 AM Blason R <[hidden email]> wrote:
Hi there,

Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error.

    response-policy {zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block";
                                };
qname-wait-recurse no;
break-dnssec no;


On Fri, Aug 10, 2018 at 8:09 AM Blason R <[hidden email]> wrote:
Well mine is bit different. I have RPZ and almost 400000+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ.

  1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help]
  2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why.
Thanks and Regards,
Lionel F

On Thu, Aug 9, 2018 at 11:08 PM Bob Harold <[hidden email]> wrote:

On Thu, Aug 9, 2018 at 9:31 AM Blason R <[hidden email]> wrote:
For example this one.

18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29)
18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102)

With RPZ, the name is looked up normally first, and only if there is an answer, is RPZ invoked.  If it gets NXDOMAIN or some error, it returns that and does not use RPZ.
If that is not what you want, then you probably want to set the option:
    qname-wait-recurse no;

-- 
Bob Harold


 

On Thu, Aug 9, 2018 at 6:59 PM Blason R <[hidden email]> wrote:
Hi Bind-Users,

I would really appreciate if someone can help me understanding my issue with BIND RPZ server?

I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. 

Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right?

But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain.

Anything I am missing pertaining to RPZ?

Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between

options {
        version "test";
        allow-query     { localhost;subnets; };
        directory "/var/cache/bind";
        recursion yes;
        querylog yes;
        forwarders {
                1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
         };
//      dnssec-validation auto;
        request-ixfr yes;
        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on port 53 { any; };
        listen-on port 15455 {any;};
        response-policy { zone "whitelist.allow" policy passthru;
                        zone "wg.block";
                        zone "bad.trap";
                        zone "block.tld";
                        zone "ransomwareips.block";  };
};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Sam Wilson
In reply to this post by blason16
I'm sorry, I don't understand the question.  Your message shows a query and an NXDOMAIN response.  That seems to be correct.  I don't know whether your RPZ configuration is supposed to change that.

Sam


> On 9 Aug 2018, at 18:25, Blason R <[hidden email]> wrote:
>
> Is it a big?? I mean certain domains from my rpz feeds are properly getting resolved while few are giving nxdomain though they appear in zone.
>
> On Thu, Aug 9, 2018, 8:57 PM Sam Wilson <[hidden email]> wrote:
> On 2018-08-09 14:00:55 +0000, Blason R said:
>
> > For example this one.
> >
> > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> > 0351dag.com. (29)
> > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> > NXDomain 0/1/0 (102)
>
> $ dig 0351dag.com
>
> ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;0351dag.com.                   IN      A
>
> ;; AUTHORITY SECTION:
> com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com.
> 1533828275 1800 900 604800 86400
>
> Sam
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Sam Wilson
Communications Infrastructure Section, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Hello,

Well even though the entry is there in RPZ zone it is still being returned as nxdomain.

On Fri, Aug 10, 2018, 3:01 PM WILSON Sam <[hidden email]> wrote:
I'm sorry, I don't understand the question.  Your message shows a query and an NXDOMAIN response.  That seems to be correct.  I don't know whether your RPZ configuration is supposed to change that.

Sam


> On 9 Aug 2018, at 18:25, Blason R <[hidden email]> wrote:
>
> Is it a big?? I mean certain domains from my rpz feeds are properly getting resolved while few are giving nxdomain though they appear in zone.
>
> On Thu, Aug 9, 2018, 8:57 PM Sam Wilson <[hidden email]> wrote:
> On 2018-08-09 14:00:55 +0000, Blason R said:
>
> > For example this one.
> >
> > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A?
> > 0351dag.com. (29)
> > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074
> > NXDomain 0/1/0 (102)
>
> $ dig 0351dag.com
>
> ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;0351dag.com.                   IN      A
>
> ;; AUTHORITY SECTION:
> com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com.
> 1533828275 1800 900 604800 86400
>
> Sam
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Sam Wilson
Communications Infrastructure Section, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Carl Byington
In reply to this post by blason16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
=VwoG
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
=VwoG
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Ok - Now I added like this and it disappeared.

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R <[hidden email]> wrote:
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
=VwoG
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers

192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 

Which is not happening.


; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.                  IN      A

;; AUTHORITY SECTION:
com.                    530     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1533954938 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114


On Sat, Aug 11, 2018 at 7:57 AM Blason R <[hidden email]> wrote:
Ok - Now I added like this and it disappeared.

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R <[hidden email]> wrote:
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV
YfcAn2NO474pn6agGUmjjR49eq4+sw4Y
=VwoG
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Bob Harold

On Fri, Aug 10, 2018 at 10:53 PM Blason R <[hidden email]> wrote:
Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers

You need to work on the intermediate server to get it to forward.  If it is running  Microsoft DNS, then I don't know enough to help you with that.

I would suggest that  you have the RPZ server be a 'slave' for the 'test.com' zone (and all the zones that the AUTH server has).  Then point users directly at the RPZ server.

-- 
Bob Harold

 
192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 

Which is not happening.


; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.                  IN      A

;; AUTHORITY SECTION:
com.                    530     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1533954938 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114


On Sat, Aug 11, 2018 at 7:57 AM Blason R <[hidden email]> wrote:
Ok - Now I added like this and it disappeared.

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R <[hidden email]> wrote:
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

blason16
Hi Bob,

I guess my scenario is not exactly understood I believe. Before that if I have set forwarder in Global option then ideally BIND should forward all queries to the forwarder, right?

Lets say 192.168.3.15 is client
192.168.3.42 is BIND Server
192.168.3.78 is RPZ server

I have one zone on 192.168.3.42 by name test.com and have all the entries on 192.168.3.42, so on users desktop 192.168.3.15 I have DNS configured as 192.168.3.42.

So, 

When query goes for ftp.test.com it will be resolved by 192.168.3.42
When query goes for bad.malware.com. it will be forwarded 192.168.3.78 where it will be wall-gardened.

Now what I noticed is certain RPZ entries on 3.78 are not getting resolved from 192.168.3.15. And then I observed that certain .com entries 3.42 is trying resolve on his own even though he is not authoritative server and supposedly those ALL queries should have been forwarded to 192.168.3.78.

PS:  I guess there are certain folks are on list from commercial RPZ services, are they facing same issue? 

On Sun, Aug 12, 2018 at 10:12 AM Bob Harold <[hidden email]> wrote:

On Fri, Aug 10, 2018 at 10:53 PM Blason R <[hidden email]> wrote:
Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers

You need to work on the intermediate server to get it to forward.  If it is running  Microsoft DNS, then I don't know enough to help you with that.

I would suggest that  you have the RPZ server be a 'slave' for the 'test.com' zone (and all the zones that the AUTH server has).  Then point users directly at the RPZ server.

-- 
Bob Harold

 
192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 

Which is not happening.


; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.                  IN      A

;; AUTHORITY SECTION:
com.                    530     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1533954938 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114


On Sat, Aug 11, 2018 at 7:57 AM Blason R <[hidden email]> wrote:
Ok - Now I added like this and it disappeared.

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R <[hidden email]> wrote:
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help on RPZ sever, bit urgent

Bob Harold


--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
[hidden email]
734-647-6524 desk


On Sun, Aug 12, 2018 at 2:38 AM Blason R <[hidden email]> wrote:
Hi Bob,

I guess my scenario is not exactly understood I believe. Before that if I have set forwarder in Global option then ideally BIND should forward all queries to the forwarder, right?

Lets say 192.168.3.15 is client
192.168.3.42 is BIND Server
192.168.3.78 is RPZ server

I have one zone on 192.168.3.42 by name test.com and have all the entries on 192.168.3.42, so on users desktop 192.168.3.15 I have DNS configured as 192.168.3.42.

Make sure 3.42 has in the global options:
forward only;
forwarders { 192.168.3.78; };

If you are missing the "forward only;" then bind will try to forward, but if it does not get a quick answer it will try to resolve itself.

-- 
Bob Harold
 
So, 

When query goes for ftp.test.com it will be resolved by 192.168.3.42
When query goes for bad.malware.com. it will be forwarded 192.168.3.78 where it will be wall-gardened.

Now what I noticed is certain RPZ entries on 3.78 are not getting resolved from 192.168.3.15. And then I observed that certain .com entries 3.42 is trying resolve on his own even though he is not authoritative server and supposedly those ALL queries should have been forwarded to 192.168.3.78.

PS:  I guess there are certain folks are on list from commercial RPZ services, are they facing same issue? 

On Sun, Aug 12, 2018 at 10:12 AM Bob Harold <[hidden email]> wrote:

On Fri, Aug 10, 2018 at 10:53 PM Blason R <[hidden email]> wrote:
Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers

You need to work on the intermediate server to get it to forward.  If it is running  Microsoft DNS, then I don't know enough to help you with that.

I would suggest that  you have the RPZ server be a 'slave' for the 'test.com' zone (and all the zones that the AUTH server has).  Then point users directly at the RPZ server.

-- 
Bob Harold

 
192.168.3.72 End User
192.168.3.15 [AUTH Server for test.com] and has forwarder to
192.168.3.44 [RPZ]

So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 

Which is not happening.


; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;003bbhq9.com.                  IN      A

;; AUTHORITY SECTION:
com.                    530     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1533954938 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.3.15#53(192.168.3.15)
;; WHEN: Sat Aug 11 08:12:17 IST 2018
;; MSG SIZE  rcvd: 114


On Sat, Aug 11, 2018 at 7:57 AM Blason R <[hidden email]> wrote:
Ok - Now I added like this and it disappeared.

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no;


On Sat, Aug 11, 2018 at 7:51 AM Blason R <[hidden email]> wrote:
This is not accepting and giving my syntax error.

named-checkconf /etc/bind/named.conf
/etc/bind/named.conf.options:29: syntax error near '}'


And here is I added

        response-policy { zone "whitelist.allow" policy passthru;
                        zone "malware.trap";
                        zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; };



On Sat, Aug 11, 2018 at 1:17 AM Carl Byington <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote:
> Nah I dont think that is the answer since you need a termination after
> clause.

Did you actually try the answer below?


> On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov <[hidden email]> wrote:

> Should be:


>         response-policy {zone "whitelist.allow" policy passthru;
>                                 zone "malware.trap";
>                                 zone "ransomwareips.block";
>         } qname-wait-recurse no break-dnssec no;


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
12