Rewrite/Override QTYPE with RPZ

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Rewrite/Override QTYPE with RPZ

Tom Tom
Hi all
Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
this planned in future releases of BIND?

Regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Barry Margolin
In article <[hidden email]>,
 Tom <[hidden email]> wrote:

> Hi all
> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
> this planned in future releases of BIND?

What would be the point? If a query is for MX, and you return A instead,
the client won't be able to do anything with it.

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Kevin Darcy
The only scenario in which I could see this being accepted by the client, is if the replacement is a CNAME, since that's a "universal" type. But it's still unclear what the ultimate intent would be.

                                                                       - Kevin

On Thu, Nov 8, 2018 at 10:45 AM Barry Margolin <[hidden email]> wrote:
In article <[hidden email]>,
 Tom <[hidden email]> wrote:

> Hi all
> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
> this planned in future releases of BIND?

What would be the point? If a query is for MX, and you return A instead,
the client won't be able to do anything with it.

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Tom Tom
In reply to this post by Barry Margolin
Fore example "example.com" and "*.example.com" are blacklisted. I would
like to return a real ip address for special query types like MX or TXT,
but not for A or AAAA.

Tom


On 08.11.18 16:44, Barry Margolin wrote:

> In article <[hidden email]>,
>   Tom <[hidden email]> wrote:
>
>> Hi all
>> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
>> this planned in future releases of BIND?
>
> What would be the point? If a query is for MX, and you return A instead,
> the client won't be able to do anything with it.
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Rewrite/Override QTYPE with RPZ

Lightner, Jeff
That wouldn't help you much.   Many mail systems these days check not only your MX record but also your PTR record to make sure the IP you came from has a valid (i.e. not generic) reverse lookup.   They'll also check things like dkim or spf TXT records.   If they don't like what they find they'll simply reject email even if you haven't been blacklisted.

In general blacklisting services blacklist specific IPs rather than domains anyway.   A work around would be to change the outbound IP your mail server uses rather than changing other records.  Of course you'd have to make additional changes for the PTR, A/AAAA and TXT records for the new IP you select.

Many blacklisting services have a way to delist yourself.

However, if you don't fix the underlying problem that caused you to be blacklisted in the first place any new IP will quickly be blacklisted as well and/or delisting yourself a second time is much more difficult.

If you are sending multiple automated emails (e.g. invoices or marketing materials) to customers you need to be monitoring for returns and removing rejected email addresses from your databases.   These often occur because the customer no longer has the email address they originally gave you (or they had a typo in what they gave you).

-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of Tom
Sent: Thursday, November 08, 2018 11:49 PM
To: [hidden email]
Subject: Re: Rewrite/Override QTYPE with RPZ

Fore example "example.com" and "*.example.com" are blacklisted. I would like to return a real ip address for special query types like MX or TXT, but not for A or AAAA.

Tom


On 08.11.18 16:44, Barry Margolin wrote:

> In article <[hidden email]>,
>   Tom <[hidden email]> wrote:
>
>> Hi all
>> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
>> this planned in future releases of BIND?
>
> What would be the point? If a query is for MX, and you return A
> instead, the client won't be able to do anything with it.
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Tom Tom
I mean the other way:

My feeded RPZ blocks othercompany.com and *.othercompany.com. Therefore
any qtype (MX, A, AAAA...) are blocked for this domain. Is there a way
with BIND just to whitelist the MX for othercompany.com and the
consequent A-Record (ex. mail.othercompany.com) that we are able to send
mail to othercompany.com?




On 09.11.18 14:39, Lightner, Jeffrey wrote:

> That wouldn't help you much.   Many mail systems these days check not only your MX record but also your PTR record to make sure the IP you came from has a valid (i.e. not generic) reverse lookup.   They'll also check things like dkim or spf TXT records.   If they don't like what they find they'll simply reject email even if you haven't been blacklisted.
>
> In general blacklisting services blacklist specific IPs rather than domains anyway.   A work around would be to change the outbound IP your mail server uses rather than changing other records.  Of course you'd have to make additional changes for the PTR, A/AAAA and TXT records for the new IP you select.
>
> Many blacklisting services have a way to delist yourself.
>
> However, if you don't fix the underlying problem that caused you to be blacklisted in the first place any new IP will quickly be blacklisted as well and/or delisting yourself a second time is much more difficult.
>
> If you are sending multiple automated emails (e.g. invoices or marketing materials) to customers you need to be monitoring for returns and removing rejected email addresses from your databases.   These often occur because the customer no longer has the email address they originally gave you (or they had a typo in what they gave you).
>
> -----Original Message-----
> From: bind-users [mailto:[hidden email]] On Behalf Of Tom
> Sent: Thursday, November 08, 2018 11:49 PM
> To: [hidden email]
> Subject: Re: Rewrite/Override QTYPE with RPZ
>
> Fore example "example.com" and "*.example.com" are blacklisted. I would like to return a real ip address for special query types like MX or TXT, but not for A or AAAA.
>
> Tom
>
>
> On 08.11.18 16:44, Barry Margolin wrote:
>> In article <[hidden email]>,
>>    Tom <[hidden email]> wrote:
>>
>>> Hi all
>>> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
>>> this planned in future releases of BIND?
>>
>> What would be the point? If a query is for MX, and you return A
>> instead, the client won't be able to do anything with it.
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Daniel Stirnimann
Hello Tom,

> My feeded RPZ blocks othercompany.com and *.othercompany.com. Therefore
> any qtype (MX, A, AAAA...) are blocked for this domain. Is there a way
> with BIND just to whitelist the MX for othercompany.com and the
> consequent A-Record (ex. mail.othercompany.com) that we are able to send
> mail to othercompany.com?

If the action of your RPZ policy is a CNAME redirecting the user to a
walled garden and that walled garden runs an MTA you could configure it
as a relay server.

We have a similar setup where the MTA on the walled garden rejects the
email so that the sending MTA immediately gets a feedback.

Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Tom Tom
Hi Daniel

Thank you for your feedback. This could be a solution.

It seems, that unbound can do this (not verified) and BIND-RPZ can't do
this actually:
https://serverfault.com/questions/18748/overriding-some-dns-entries-in-bind-for-internal-networks

Any plans for BIND?
Tom



On 12.11.18 08:14, Daniel Stirnimann wrote:

> Hello Tom,
>
>> My feeded RPZ blocks othercompany.com and *.othercompany.com. Therefore
>> any qtype (MX, A, AAAA...) are blocked for this domain. Is there a way
>> with BIND just to whitelist the MX for othercompany.com and the
>> consequent A-Record (ex. mail.othercompany.com) that we are able to send
>> mail to othercompany.com?
>
> If the action of your RPZ policy is a CNAME redirecting the user to a
> walled garden and that walled garden runs an MTA you could configure it
> as a relay server.
>
> We have a similar setup where the MTA on the walled garden rejects the
> email so that the sending MTA immediately gets a feedback.
>
> Daniel
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Lee
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite/Override QTYPE with RPZ

Lee
In reply to this post by Tom Tom
On 11/12/18, Tom <[hidden email]> wrote:
> I mean the other way:
>
> My feeded RPZ blocks othercompany.com and *.othercompany.com. Therefore
> any qtype (MX, A, AAAA...) are blocked for this domain. Is there a way
> with BIND just to whitelist the MX for othercompany.com and the
> consequent A-Record (ex. mail.othercompany.com) that we are able to send
> mail to othercompany.com?

mail.othercompany.com   CNAME  rpz-passthru.
*.othercompany.com       CNAME  .

in your rpz zone file doesn't do what you want?

Lee

>
>
>
>
> On 09.11.18 14:39, Lightner, Jeffrey wrote:
>> That wouldn't help you much.   Many mail systems these days check not only
>> your MX record but also your PTR record to make sure the IP you came from
>> has a valid (i.e. not generic) reverse lookup.   They'll also check things
>> like dkim or spf TXT records.   If they don't like what they find they'll
>> simply reject email even if you haven't been blacklisted.
>>
>> In general blacklisting services blacklist specific IPs rather than
>> domains anyway.   A work around would be to change the outbound IP your
>> mail server uses rather than changing other records.  Of course you'd have
>> to make additional changes for the PTR, A/AAAA and TXT records for the new
>> IP you select.
>>
>> Many blacklisting services have a way to delist yourself.
>>
>> However, if you don't fix the underlying problem that caused you to be
>> blacklisted in the first place any new IP will quickly be blacklisted as
>> well and/or delisting yourself a second time is much more difficult.
>>
>> If you are sending multiple automated emails (e.g. invoices or marketing
>> materials) to customers you need to be monitoring for returns and removing
>> rejected email addresses from your databases.   These often occur because
>> the customer no longer has the email address they originally gave you (or
>> they had a typo in what they gave you).
>>
>> -----Original Message-----
>> From: bind-users [mailto:[hidden email]] On Behalf Of
>> Tom
>> Sent: Thursday, November 08, 2018 11:49 PM
>> To: [hidden email]
>> Subject: Re: Rewrite/Override QTYPE with RPZ
>>
>> Fore example "example.com" and "*.example.com" are blacklisted. I would
>> like to return a real ip address for special query types like MX or TXT,
>> but not for A or AAAA.
>>
>> Tom
>>
>>
>> On 08.11.18 16:44, Barry Margolin wrote:
>>> In article <[hidden email]>,
>>>    Tom <[hidden email]> wrote:
>>>
>>>> Hi all
>>>> Is there a way to override/rewrite QTYPE (ex. MX) with RPZ? If no, is
>>>> this planned in future releases of BIND?
>>>
>>> What would be the point? If a query is for MX, and you return A
>>> instead, the client won't be able to do anything with it.
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users