Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RPZ wildcard domain passthru not effective in BIND 9.11.21

303 views
Skip to first unread message

My Ocella

unread,
Jul 28, 2020, 7:57:50 AM7/28/20
to bind-...@lists.isc.org
Hi all,

BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa

I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local overrides blacklist/whitelist).  
The response-policy and RPZ zones configurations are as follows

        response-policy {
                zone "rpz.local.whitelist" policy passthru;
                zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com;
                zone "rpz.whitelist"    policy passthru;
                zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
        };
        zone "rpz.local.whitelist"{
            type master;
            file "zones/master/rpz.local.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.local.blacklist" {
            type master;
            file "zones/master/rpz.local.blacklist.db";
            allow-query { localhost; };
        };
        zone "rpz.whitelist"{
            type master;
            file "zones/master/rpz.whitelist.db";
            allow-query { localhost; };
        };
        zone "rpz.blacklist" {
            type master;
            file "zones/master/rpz.blacklist.db";
            allow-query { localhost; };
        };

Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.

# dig @dnsserver onedrive.live.com
;; QUESTION SECTION:
;onedrive.live.com. IN A

;; ANSWER SECTION:
onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com.
sinkhole-feed.domain.com. 900 IN A 127.66.66.66

I would expect the rpz.whitelist would allow *.live.com (passthru). 

However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works

# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.


RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be. 

I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21, and all produce the same issue.

Has anyone experienced a similar issue here? or have I mis-configured something?

Thanks
myOcella

Michał Kępień

unread,
Jul 29, 2020, 3:46:19 AM7/29/20
to My Ocella, bind-...@lists.isc.org
> RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
> be.
>
> I have noticed that the last workable version is BIND 9.11.6-P1. I have
> tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
> and all produce the same issue.
>
> Has anyone experienced a similar issue here? or have I
> mis-configured something?

Looks like a match for GL #1619:

https://gitlab.isc.org/isc-projects/bind9/-/issues/1619

This will fixed in BIND 9.11.22, which is due in a few weeks.

If you urgently need a patch against BIND 9.11.21, try this one:

https://gitlab.isc.org/isc-projects/bind9/-/commit/33ae88f08dabea846aee3be3af8a515fd9774ee1.diff

Sorry about the trouble!

--
Best regards,
Michał Kępień
0 new messages