My Ocella
2020-07-28 11:57:26 UTC
Hi all,
BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var
--sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6
--enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2
are local overrides blacklist/whitelist).
The response-policy and RPZ zones configurations are as follows
response-policy {
zone "rpz.local.whitelist" policy passthru;
zone "rpz.local.blacklist" policy cname
sinkhole-local.domain.com;
zone "rpz.whitelist" policy passthru;
zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
};
zone "rpz.local.whitelist"{
type master;
file "zones/master/rpz.local.whitelist.db";
allow-query { localhost; };
};
zone "rpz.local.blacklist" {
type master;
file "zones/master/rpz.local.blacklist.db";
allow-query { localhost; };
};
zone "rpz.whitelist"{
type master;
file "zones/master/rpz.whitelist.db";
allow-query { localhost; };
};
zone "rpz.blacklist" {
type master;
file "zones/master/rpz.blacklist.db";
allow-query { localhost; };
};
Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com.
sinkhole-feed.domain.com. 900 IN A 127.66.66.66
I would expect the rpz.whitelist would allow *.live.com (passthru).
However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist
zone to override the external feeds, the FQDN resolution works
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME
rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net.
odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net
.
odc-web-brs.onedrive.akadns.net. 36 IN CNAME
odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net.
odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN
CNAME l-0004.l-msedge.net.
l-0004.l-msedge.net. 240 IN A 13.107.42.13
RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
be.
I have noticed that the last workable version is BIND 9.11.6-P1. I have
tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
and all produce the same issue.
Has anyone experienced a similar issue here? or have I
mis-configured something?
Thanks
myOcella
BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var
--sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6
--enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2
are local overrides blacklist/whitelist).
The response-policy and RPZ zones configurations are as follows
response-policy {
zone "rpz.local.whitelist" policy passthru;
zone "rpz.local.blacklist" policy cname
sinkhole-local.domain.com;
zone "rpz.whitelist" policy passthru;
zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
};
zone "rpz.local.whitelist"{
type master;
file "zones/master/rpz.local.whitelist.db";
allow-query { localhost; };
};
zone "rpz.local.blacklist" {
type master;
file "zones/master/rpz.local.blacklist.db";
allow-query { localhost; };
};
zone "rpz.whitelist"{
type master;
file "zones/master/rpz.whitelist.db";
allow-query { localhost; };
};
zone "rpz.blacklist" {
type master;
file "zones/master/rpz.blacklist.db";
allow-query { localhost; };
};
Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com.
sinkhole-feed.domain.com. 900 IN A 127.66.66.66
I would expect the rpz.whitelist would allow *.live.com (passthru).
However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist
zone to override the external feeds, the FQDN resolution works
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME
rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A
;; ANSWER SECTION:
onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net.
odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net
.
odc-web-brs.onedrive.akadns.net. 36 IN CNAME
odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net.
odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN
CNAME l-0004.l-msedge.net.
l-0004.l-msedge.net. 240 IN A 13.107.42.13
RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
be.
I have noticed that the last workable version is BIND 9.11.6-P1. I have
tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
and all produce the same issue.
Has anyone experienced a similar issue here? or have I
mis-configured something?
Thanks
myOcella