Response Policy Zone: disabling "leaking" of lookups

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Response Policy Zone: disabling "leaking" of lookups

Fred Morris

It comes to my attention that when an unresolvable query occurs, it gets forwarded to the authoritative zone regardless of anything I can set in named.conf. Closest I can come is qname-wait-recurse which has the opposite effect sort of, namely waiting for recursion to complete. If I have something in an RPZ, I want it to accept that; period, full stop, no outwardly visible effects.

Ironically the text surrounding this option in the ARM is to the effect that "... not resolving the requested name can leak the fact that response policy rewriting is in use..." and leaking the fact that it is in use by not leaking the query in the first place is what I'm trying to achieve: how do I disable the (useless) resolution directed at upstream servers?

Here is a use case:

  1. A search list is in place for example.com. This means that if "foo.bar" fails to resolve then "foo.bar.example.com" will be tried, followed by "foo.bar.com".
  2. In addition to the foregoing a rule is placed in the RPZ that "com.example.com" and "*.com.example.com" are NXDOMAIN.
  3. An additional rule is present in the RPZ that "my-outhouse-example.com" is NXDOMAIN.

In this case:

  • "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
  • There should be no upstream (pointless) query for my-outhouse-example.com.example.com. (oops!)

Let's stop the leaks.

--

Fred Morris



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Response Policy Zone: disabling "leaking" of lookups

Bind-Users forum mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote:
> how do I disable the (useless) resolution directed at upstream
> servers?

Isn't that just "qname-wait-recurse no;"


-----BEGIN PGP SIGNATURE-----

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCX1BhpBUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFe7gCfVN8JVwC8eQ5RExIYVJkOVf3Ywc4A
n1pCBkinzCzqBH9IYlXfp5sNeNh1
=Zfin
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: [DNSfirewalls] Response Policy Zone: disabling "leaking" of lookups

Bind-Users forum mailing list
In reply to this post by Fred Morris
It is a well known behaviour.  This is the way how your DNS client works (not DNS server).
Get rid of the search list or block requests to the domains in the search lists by RPZ (e.g. if it is pushed by ISP).
 
BR,
Vadim
Четверг, 3 сентября 2020, 19:04 +03:00 от Fred Morris <[hidden email]>:
 

It comes to my attention that when an unresolvable query occurs, it gets forwarded to the authoritative zone regardless of anything I can set in named.conf. Closest I can come is qname-wait-recurse which has the opposite effect sort of, namely waiting for recursion to complete. If I have something in an RPZ, I want it to accept that; period, full stop, no outwardly visible effects.

Ironically the text surrounding this option in the ARM is to the effect that "... not resolving the requested name can leak the fact that response policy rewriting is in use..." and leaking the fact that it is in use by not leaking the query in the first place is what I'm trying to achieve: how do I disable the (useless) resolution directed at upstream servers?

Here is a use case:

  1. A search list is in place for example.com. This means that if "foo.bar" fails to resolve then "foo.bar.example.com" will be tried, followed by "foo.bar.com".
  2. In addition to the foregoing a rule is placed in the RPZ that "com.example.com" and "*.com.example.com" are NXDOMAIN.
  3. An additional rule is present in the RPZ that "my-outhouse-example.com" is NXDOMAIN.

In this case:

  • "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
  • There should be no upstream (pointless) query for my-outhouse-example.com.example.com. (oops!)

Let's stop the leaks.

--

Fred Morris

 

_______________________________________________
DNSfirewalls mailing list
DNSfirewalls@...
http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
 
 
 
 
 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Response Policy Zone: disabling "leaking" of lookups

Fred Morris
In reply to this post by Bind-Users forum mailing list
Carl Byington wrote:
> On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote:
> > how do I disable the (useless) resolution directed at upstream
> > servers?
>
> Isn't that just "qname-wait-recurse no;"
>
You are correct! I got confused and the doc didn't help. The logic is
tri-state:

*Default* (not present): The lookup is performed, but isn't waited for.

*Yes*: Resolution waits for the lookup to complete.

*No*: Resolution is not performed.


Verified by testing. :-) Thanks for the sanity check.

--

Fred Morris


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users