RPZ wildcard domain passthru not effective in BIND 9.11.21

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RPZ wildcard domain passthru not effective in BIND 9.11.21

My Ocella
Hi all,

BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa

I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local overrides blacklist/whitelist).  
The response-policy and RPZ zones configurations are as follows

        response-policy {
                zone "rpz.local.whitelist" policy passthru;
                zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com;
                zone "rpz.whitelist"    policy passthru;
                zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
        };
        zone "rpz.local.whitelist"{
            type master;
            file "zones/master/rpz.local.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.local.blacklist" {
            type master;
            file "zones/master/rpz.local.blacklist.db";
            allow-query { localhost; };
        };
        zone "rpz.whitelist"{
            type master;
            file "zones/master/rpz.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.blacklist" {
            type master;
            file "zones/master/rpz.blacklist.db";
            allow-query { localhost; };
        };

Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.

# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A

;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com.
sinkhole-feed.domain.com. 900 IN A 127.66.66.66

I would expect the rpz.whitelist would allow *.live.com (passthru). 

However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works

# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.


RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be. 

I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21, and all produce the same issue.

Has anyone experienced a similar issue here? or have I mis-configured something?

Thanks
myOcella


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ wildcard domain passthru not effective in BIND 9.11.21

Michał Kępień
> RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
> be.
>
> I have noticed that the last workable version is BIND 9.11.6-P1. I have
> tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
> and all produce the same issue.
>
> Has anyone experienced a similar issue here? or have I
> mis-configured something?

Looks like a match for GL #1619:

    https://gitlab.isc.org/isc-projects/bind9/-/issues/1619

This will fixed in BIND 9.11.22, which is due in a few weeks.

If you urgently need a patch against BIND 9.11.21, try this one:

    https://gitlab.isc.org/isc-projects/bind9/-/commit/33ae88f08dabea846aee3be3af8a515fd9774ee1.diff

Sorry about the trouble!

--
Best regards,
Michał Kępień
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users