Hi all,
BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2
are local overrides blacklist/whitelist).
The response-policy and RPZ zones configurations are as follows
response-policy {
zone "rpz.local.whitelist" policy passthru;
zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com;
zone "rpz.whitelist" policy passthru;
zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
};
zone "rpz.local.whitelist"{
type master;
file "zones/master/rpz.local.whitelist.db";
allow-query { localhost; };
};
zone "rpz.local.blacklist" {
type master;
file "zones/master/rpz.local.blacklist.db";
allow-query { localhost; };
};
zone "rpz.whitelist"{
type master;
file "zones/master/rpz.whitelist.db";
allow-query { localhost; };
};
zone "rpz.blacklist" {
type master;
file "zones/master/rpz.blacklist.db";
allow-query { localhost; };
};
Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com. sinkhole-feed.domain.com. 900 IN A 127.66.66.66
I would expect the rpz.whitelist would allow *.live.com (passthru).
However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net. odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net
.
odc-web-brs.onedrive.akadns.net. 36 IN CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN CNAME l-0004.l-msedge.net.
l-0004.l-msedge.net. 240 IN A 13.107.42.13
RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
be.
I have noticed that the last workable version is BIND 9.11.6-P1. I have
tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
and all produce the same issue.
Has anyone experienced a similar issue here? or have I
mis-configured something?
Thanks
myOcella
<div dir="ltr">Hi all,<div><br></div><div>BIND version: 9.11.21</div><div>OS: RHEL 7</div><div>Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-
filter-aaaa</div><div><br></div><div>I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local overrides blacklist/whitelist).  </div><div>The response-policy and RPZ zones configurations are as follows</div><div><br></div><
    response-policy {<br>        zone "rpz.local.whitelist" policy passthru;<br>        zone "rpz.local.blacklist" policy cname <a href="http://sinkhole-local.domain.com">sinkhole-local.
domain.com</a>;<br>Â Â Â Â Â Â Â Â zone "rpz.whitelist" Â Â policy passthru;<br>Â Â Â Â Â Â Â Â zone "rpz.blacklist" policy cname <a href="
http://sinkhole-feed.domain.com">sinkhole-feed.domain.com</a>;<br>Â Â Â Â }
;<br></div><div>Â Â Â Â zone "rpz.local.whitelist"{<br>Â Â Â Â Â Â type master;<br>Â Â Â Â Â Â file "zones/master/rpz.local.whitelist.db";<br>Â Â Â Â Â Â allow-query { localhost; };<br>Â Â Â Â };<br>Â Â Â Â
zone "rpz.local.blacklist" {<br>Â Â Â Â Â Â type master;<br>Â Â Â Â Â Â file "zones/master/rpz.local.blacklist.db";<br>Â Â Â Â Â Â allow-query { localhost; };<br>Â Â Â Â };<br>Â Â Â Â zone "rpz.
whitelist"{<br>Â Â Â Â Â Â type master;<br>Â Â Â Â Â Â file "zones/master/rpz.whitelist.db";<br>Â Â Â Â Â Â allow-query { localhost; };<br>Â Â Â Â };<br>Â Â Â Â zone "rpz.blacklist" {<br>Â Â Â Â Â Â
type master;<br>Â Â Â Â Â Â file "zones/master/rpz.blacklist.db";<br>Â Â Â Â Â Â allow-query { localhost; };<br>Â Â Â Â };<br></div><div><br></div><div>Contents of zones that are relevant to the issue</div><div># grep "*\.
live\.com" rpz.*<br></div><div>rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66<br></div><div>rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66</div><div><div>rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN
CNAME rpz.passthru.<br></div><div></div></div><div><br></div><div># dig @dnsserver <a href="
http://onedrive.live.com">onedrive.live.com</a></div><div>;; QUESTION SECTION:<br>;<a href="
http://onedrive.live.com">onedrive.live.com</a>. IN A<br><br>;;
ANSWER SECTION:<br><a href="
http://onedrive.live.com">onedrive.live.com</a>. 5 IN CNAME <a href="
http://sinkhole-feed.domain.com">sinkhole-feed.domain.com</a>.<br><a href="
http://sinkhole-feed.domain.com">sinkhole-feed.domain.com</a>. 900 IN A 127.66.66.
66<br></div><div><br></div><div>I would expect the rpz.whitelist would allow *.<a href="
http://live.com">live.com</a> (passthru). </div><div><br></div><div>However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the
external feeds, the FQDN resolution works</div><div><br></div><div><div># grep "*\.live\.com" rpz.*<br></div><div>rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66<br></div><div>rpz.blacklist.db:*.live.com.rpz.blacklist.
3600 IN A 127.66.66.66</div><div></div></div><div>rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.</div><div>rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.<br></div><div><div><br></div><div>
<div># dig @dnsserver <a href="
http://onedrive.live.com">onedrive.live.com</a></div><div>;; QUESTION SECTION:<br>;<a href="
http://onedrive.live.com">onedrive.live.com</a>. IN A<br><br>;; ANSWER SECTION:<br><a href="
http://onedrive.live.com">onedrive.
live.com</a>. 60 IN CNAME <a href="
http://odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akadns.net</a>.<br><a href="
http://odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akadns.net</a>. 36 IN CNAME <a href="
http://odc-web-brs.onedrive.
akadns.net">odc-web-brs.onedrive.akadns.net</a>.<br><a href="
http://odc-web-brs.onedrive.akadns.net">odc-web-brs.onedrive.akadns.net</a>. 36 IN CNAME <a href="
http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net">odwebpl.
trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net</a>.<br><a href="
http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net">odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net</a>. 240 IN CNAME <a href="
http://
l-0004.l-msedge.net">l-0004.l-msedge.net</a>.<br><a href="
http://l-0004.l-msedge.net">l-0004.l-msedge.net</a>. 240 IN A 13.107.42.13<br></div></div><div><br></div><div>RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be. </
<div><br></div><div>I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21, and all produce the same issue.</div><div><br></div><div>Has anyone experienced a
similar issue here? or have I mis-configured something?</div><div><br></div><div>Thanks</div><div>myOcella</div><div><br></div><div></div></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)