refused rcode is not working RPZ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

refused rcode is not working RPZ?

Sukmoon Lee
Hi all.

I am using RPZ zone.
Below line is rpz zone file. But jifr.net is not working.


        jifr.net        CNAME .
        *.jifr.net      CNAME .

Unusual, this domain is responding with refused rcode. (from authority name server)

        $ dig @173.245.58.51 jifr.net
       
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39590
        ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
        ;; WARNING: recursion requested but not available
       
        ;; QUESTION SECTION:
        ;jifr.net.                      IN      A
       
        ;; Query time: 105 msec


I want to response NXDOMAIN.
Is it a solution this case?

Thanks.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: refused rcode is not working RPZ?

Ray Bellis
On 17/11/2016 10:20, LEE SUKMOON wrote:

> I want to response NXDOMAIN.
> Is it a solution this case?

You'd usually get SERVFAIL from the recursor because the domain is
misconfigured with a lame delegation, and either way the client won't
get an answer.

Is there a particular reason that the exact RCODE matters ?

Ray


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: refused rcode is not working RPZ?

Sukmoon Lee
> On 17/11/2016 10:20, LEE SUKMOON wrote:
>
> > I want to response NXDOMAIN.
> > Is it a solution this case?
>
> You'd usually get SERVFAIL from the recursor because the domain is
> misconfigured with a lame delegation, and either way the client won't
> get an answer.
>
> Is there a particular reason that the exact RCODE matters ?
>
> Ray
>

This domain causes many recursive query.
And client received late SERVFAIL response.

I want to quickly response "*.jifr.net".
I want to solve this problem using RPZ.

Thanks.
Sukmoon Lee.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: refused rcode is not working RPZ?

Phil Mayers
On 17/11/16 02:29, LEE SUKMOON wrote:

> This domain causes many recursive query.
> And client received late SERVFAIL response.
>
> I want to quickly response "*.jifr.net".
> I want to solve this problem using RPZ.


See "qname-wait-recurse" in the bind ARM. This will apply policy to the
query for QNAME triggers without waiting for the response.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users