rpz entry for non existed domain goes unanswered

koloth · 03-24-2022, 03:38 AM

Hello,
I have A recursive DNS server running bind on Centos 8.5.
I've implemented a firewall based on RPZ, however i have ran into a weird issue.
The RPZ works fine and redirects the reply if the domain exists, however for non-existing domain the rpz does not reply.
Dig can show the difference:

Code:

$ dig WORKING_DOMAIN

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> rarbg.to
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39661
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;WORKING_DOMAIN.                      IN      A

;; ANSWER SECTION:
WORKING_DOMAIN.               5       IN      A       REDIRECT_IP

;; AUTHORITY SECTION:
MY_rpz.              10800   IN      NS      MY_RPZ.

;; ADDITIONAL SECTION:
MY_RPZ.              10800   IN      A       127.0.0.1
MY_RPZ.              10800   IN      AAAA    ::1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 10:35:52 EET 2022
;; MSG SIZE  rcvd: 120

$ dig NOT_WORKING_DOMAIN 

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> iptv-premier.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51466
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;NOT_WORKING_DOMAIN.              IN      A

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 10:36:05 EET 2022
;; MSG SIZE  rcvd: 45

Is it indeed an issue with the not working domain name being non-existent?

thanks in advance

bathory · 03-25-2022, 05:19 AM

Quote:

$ dig NOT_WORKING_DOMAIN

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> iptv-premier.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51466
<-snip->
Is it indeed an issue with the not working domain name being non-existent?

You don't get a NXDOMAIN but a SERVFAIL response.
Apparently you have some error(s) in your config file(s) since you get a SERVFAIL response.
Use the named-checkconf, named-checkzone utilities to check your setup. Also take a look at the relevant dns logs.

Regards