I am testing out the BIND Response Policy Zone feature on our lab DNS server. We run a RHEL 6 server with BIND 9.8.2. I have followed the instructions here but I can't get it to work. Here is what I know:
1) The DNS server DOES respond to queries for hosts found in other zones
2) My RPZ zone loads successfully, as can be seen here:
Jan 28 12:00:13 labdns named[26564]: zone rpz/IN: loaded serial 2015012816
But here is what I see in /var/log/messages when I query for a domain found in the RPZ zone:
Jan 28 11:52:54 labdns named[26060]: client 192.168.254.202#38524: query (cache) 'x99moyu.net/A/IN' denied
I have seen this behavior before but only when you have recursion off and you query for a host that is not found in a zone file. Here is my RPZ zone db file:
$TTL 86400
@ IN SOA localhost. root.localhost. (
2015012816 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ; minimum
)
@ IN NS lab.testdns.net.
; Response Policy for x99moyu.net
x99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for ix99moyu.net
ix99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for duobao369.com
duobao369.com IN A 127.0.0.1
IN AAAA ::1
I have tried putting dots both in front and behind the domain names but that did not help and the instructions say not to use dots anyway.
Here is my /etc/named.conf file:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 192.168.155.128; }; #Master DNS Servers IP
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.155.0/24; 192.168.254.0/23; 192.168.160.0/24; }; # IP range of hosts
allow-transfer { localhost; 192.168.254.202; }; # Slave DNS server
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
zone-statistics yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
response-policy { zone "rpz"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel rpz-queries {
file "/var/log/bind/rpz.log" versions 10 size 50m;
severity info;
};
category rpz {
rpz-queries;
};
};
zone"rpz" IN {
type master;
file "/var/named/db.rpz";
notify yes;
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
I am not sure how to move forward or how to debug this further. Any help is appreciated.
EDIT – Here is the output from a dig command. This is where I see the "refused" message
dig @192.168.155.128 x99moyu.net
; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> @192.168.155.128 x99moyu.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51880
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x99moyu.net. IN A
;; Query time: 1 msec
;; SERVER: 192.168.155.128#53(192.168.155.128)
;; WHEN: Thu Jan 28 12:30:08 CST 2016
;; MSG SIZE rcvd: 40
Best Answer
From what I can tell the issue doesn't seem to actually involve RPZ, but rather just comes down to that you have a setup that relies on recursion (ie, it appears that you expect to process queries for names that are not in any of your own zones?) but you have recursion turned off in your configuration.
Now, technically, the lookup of the specific name in the query would have been overridden by means of your RPZ configuration but the query gets refused before that as recursion is off and the queried name part of one of your zones.