rpz fail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Lee
Reply | Threaded
Open this post in threaded view
|

rpz fail

Lee
tl,dr: https://github.com/StevenBlack/hosts/issues/451

Can someone please explain why using this as my rpz zone does NOT
block everything for *.2o7.net?

$ cat db.test-rpz
$ORIGIN rpz.test.
$TTL    1s
@ IN SOA localhost. admin ( 2019082405 6h 15 1d 1s )
  IN NS  localhost.

2o7.net CNAME .
*.2o7.net CNAME .
bcbsks.com.102.112.2o7.net CNAME .
;  ======== end


but using this does block all of 2o7.net?  (or at least all I've tried)
$ cat db.test-rpz
$ORIGIN rpz.test.
$TTL    1s
@ IN SOA localhost. admin ( 2019082407 6h 15 1d 1s )
  IN NS  localhost.

2o7.net CNAME .
*.2o7.net CNAME .
; bcbsks.com.102.112.2o7.net CNAME .
; === end ===



With "; bcbsks.com.102.112.2o7.net CNAME ." commented out both
dig @127.0.0.1 appleglobal.112.2o7.net
dig @127.0.0.1 appleglobal.2o7.net

work as expected & have
;; ADDITIONAL SECTION:
rpz.test.               1       IN      SOA     localhost.
admin.rpz.test. 2019082407 21600 15 86400 1


With "bcbsks.com.102.112.2o7.net CNAME ." not commented out
dig @127.0.0.1 appleglobal.112.2o7.net
  -- returns an ip address with the ANSWER, AUTHORITY & ADDITIONAL SECTION

dig @127.0.0.1 appleglobal.2o7.net
  -- doesn't return an ip address & additional info is
;; ADDITIONAL SECTION:
rpz.test.               1       IN      SOA     localhost.
admin.rpz.test. 2019082406 21600 15 86400 1


Am I just missing something or is this a bug?

I get the same behavior on debian with 9.11.5-P4-5~bpo9+1-Debian
and windows 10 with 9.11.9 (from
ftp://ftp.isc.org/isc/bind9/9.11.9/BIND9.11.9.x64.zip)

TIA
Lee
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: rpz fail

Tony Finch
Lee <[hidden email]> wrote:
>
> Can someone please explain why using this as my rpz zone does NOT
> block everything for *.2o7.net?
>
> 2o7.net CNAME .
> *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME .

I suspect this is RPZ obeying the weird semantics of DNS wildcard
matching. The * only matches if the answer would otherwise be NXDOMAIN
(the name does not exist). The weirdness happens when there are subdomains
that exist, because any parent names are NODATA (the name exists but has
no records of the query type) which suppresses wildcard matching.

So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and
112.2o7.net to exist, so any names under those domains do not match the
wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so
it doesn't match.

For the long explanation see
https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain Name System
https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing Underneath

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Irish Sea: South veering west 3 to 5, increasing 6 for a time. Slight,
occasionally moderate. Rain. Good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Lee
Reply | Threaded
Open this post in threaded view
|

Re: rpz fail

Lee
On 8/27/19, Tony Finch <[hidden email]> wrote:

> Lee <[hidden email]> wrote:
>>
>> Can someone please explain why using this as my rpz zone does NOT
>> block everything for *.2o7.net?
>>
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME .
>
> I suspect this is RPZ obeying the weird semantics of DNS wildcard
> matching. The * only matches if the answer would otherwise be NXDOMAIN
> (the name does not exist). The weirdness happens when there are subdomains
> that exist, because any parent names are NODATA (the name exists but has
> no records of the query type) which suppresses wildcard matching.
>
> So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and
> 112.2o7.net to exist, so any names under those domains do not match the
> wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so
> it doesn't match.
>
> For the long explanation see
> https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain
> Name System
> https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing
> Underneath

Thank you!

I posted a similar question on the dns firewall list
  http://lists.redbarn.org/pipermail/dnsfirewalls/2019-August/000367.html
hopefully the rfcs you listed will help me understand the 'empty
non-terminals' thing

Regards,
Lee
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users