• RPZ wildcard domain passthru not effective in BIND 9.11.21

    From My Ocella@myocella@gmail.com to bind-users on Tue Jul 28 21:57:26 2020
    From Newsgroup: comp.protocols.dns.bind

    --00000000000041aafc05ab7f255b
    Content-Type: text/plain; charset="UTF-8"

    Hi all,

    BIND version: 9.11.21
    OS: RHEL 7
    Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa

    I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2
    are local overrides blacklist/whitelist).
    The response-policy and RPZ zones configurations are as follows

    response-policy {
    zone "rpz.local.whitelist" policy passthru;
    zone "rpz.local.blacklist" policy cname sinkhole-local.domain.com;
    zone "rpz.whitelist" policy passthru;
    zone "rpz.blacklist" policy cname sinkhole-feed.domain.com;
    };
    zone "rpz.local.whitelist"{
    type master;
    file "zones/master/rpz.local.whitelist.db";
    allow-query { localhost; };
    };
    zone "rpz.local.blacklist" {
    type master;
    file "zones/master/rpz.local.blacklist.db";
    allow-query { localhost; };
    };
    zone "rpz.whitelist"{
    type master;
    file "zones/master/rpz.whitelist.db";
    allow-query { localhost; };
    };
    zone "rpz.blacklist" {
    type master;
    file "zones/master/rpz.blacklist.db";
    allow-query { localhost; };
    };

    Contents of zones that are relevant to the issue
    # grep "*\.live\.com" rpz.*
    rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.

    # dig @dnsserver onedrive.live.com
    ;; QUESTION SECTION:
    ;onedrive.live.com. IN A

    ;; ANSWER SECTION:
    onedrive.live.com. 5 IN CNAME sinkhole-feed.domain.com. sinkhole-feed.domain.com. 900 IN A 127.66.66.66

    I would expect the rpz.whitelist would allow *.live.com (passthru).

    However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works

    # grep "*\.live\.com" rpz.*
    rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66 rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
    rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.

    # dig @dnsserver onedrive.live.com
    ;; QUESTION SECTION:
    ;onedrive.live.com. IN A

    ;; ANSWER SECTION:
    onedrive.live.com. 60 IN CNAME odc-web-geo.onedrive.akadns.net. odc-web-geo.onedrive.akadns.net. 36 IN CNAME odc-web-brs.onedrive.akadns.net
    .
    odc-web-brs.onedrive.akadns.net. 36 IN CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net. 240 IN CNAME l-0004.l-msedge.net.
    l-0004.l-msedge.net. 240 IN A 13.107.42.13

    RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should
    be.

    I have noticed that the last workable version is BIND 9.11.6-P1. I have
    tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
    and all produce the same issue.

    Has anyone experienced a similar issue here? or have I
    mis-configured something?

    Thanks
    myOcella

    --00000000000041aafc05ab7f255b
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">Hi all,<div><br></div><div>BIND version: 9.11.21</div><div= >OS: RHEL 7</div><div>Compile options: ./configure --prefix=3D/usr --locals= tatedir=3D/var --sysconfdir=3D/etc --with-openssl --enable-largefile --disa= ble-ipv6 --enable-threads --enable-filter-aaaa</div><div><br></div><div>I h= ave configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are = local overrides blacklist/whitelist).=C2=A0=C2=A0</div><div>The response-po= licy and RPZ zones configurations are as=C2=A0follows</div><div><br></div><= div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 response-policy {<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zone &quot;rpz.local.whitelist&quot; pol= icy passthru;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zo=
    ne &quot;rpz.local.blacklist&quot; policy cname <a href=3D"http://sinkhole-= local.domain.com">sinkhole-local.domain.com</a>;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 zone &quot;rpz.whitelist&quot; =C2=A0 = =C2=A0policy passthru;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 zone &quot;rpz.blacklist&quot; policy cname <a href=3D"http://sinkho= le-feed.domain.com">sinkhole-feed.domain.com</a>;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 };<br></div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone &quot;rpz.local.wh= itelist&quot;{<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br= >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file &quot;zones/master/rpz.loca= l.whitelist.db&quot;;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-qu= ery { localhost; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 zone &quot;rpz.local.blacklist&quot; {<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 type master;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 file &quot;zones/master/rpz.local.blacklist.db&quot;;<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query { localhost; };<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone &quot;rpz.whitelist&qu= ot;{<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file &quot;zones/master/rpz.whitelist.db= &quot;;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query { localhos=
    t; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 zone=
    &quot;rpz.blacklist&quot; {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 t= ype master;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 file &quot;zones/m= aster/rpz.blacklist.db&quot;;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = allow-query { localhost; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 };<br></div><div= ><br></div><div>Contents of zones that are relevant to the issue</div><div>=
    # grep &quot;*\.live\.com&quot; rpz.*<br></div><div>rpz.blacklist.db:onedri= ve.live.com.rpz.blacklist. 3600 IN A 127.66.66.66<br></div><div>rpz.blackli= st.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66</div><div><div>rpz.w= hitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.<br></div>=
    <div></div></div><div><br></div><div># dig=C2=A0@dnsserver=C2=A0<a href=3D"= http://onedrive.live.com">onedrive.live.com</a></div><div>;; QUESTION SECTI= ON:<br>;<a href=3D"http://onedrive.live.com">onedrive.live.com</a>. IN A<b=
    <br>;; ANSWER SECTION:<br><a href=3D"http://onedrive.live.com">onedrive.l= ive.com</a>. 5 IN CNAME <a href=3D"http://sinkhole-feed.domain.com">sinkhol=
    e-feed.domain.com</a>.<br><a href=3D"http://sinkhole-feed.domain.com">sinkh= ole-feed.domain.com</a>. 900 IN A 127.66.66.66<br></div><div><br></div><div=
    I would expect the rpz.whitelist would allow *.<a href=3D"http://live.com"= >live.com</a> (passthru).=C2=A0</div><div><br></div><div>However, if I add = the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override = the external feeds, the FQDN resolution works</div><div><br></div><div><div=
    # grep &quot;*\.live\.com&quot; rpz.*<br></div><div>rpz.blacklist.db:onedr= ive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66<br></div><div>rpz.blackl= ist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66</div><div></div></d= iv><div>rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. =
    IN CNAME rpz-passthru.</div><div>rpz.whitelist.db:*.live.com.rpz.whitelist.=
    3600 IN CNAME rpz.passthru.<br></div><div><div><br></div><div><div># dig=
    =C2=A0@dnsserver=C2=A0<a href=3D"http://onedrive.live.com">onedrive.live.co= m</a></div><div>;; QUESTION SECTION:<br>;<a href=3D"http://onedrive.live.co= m">onedrive.live.com</a>. IN A<br><br>;; ANSWER SECTION:<br><a href=3D"htt=
    p://onedrive.live.com">onedrive.live.com</a>. 60 IN CNAME <a href=3D"http:/=
    /odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akadns.net</a>.<br><=
    a href=3D"http://odc-web-geo.onedrive.akadns.net">odc-web-geo.onedrive.akad= ns.net</a>. 36 IN CNAME <a href=3D"http://odc-web-brs.onedrive.akadns.net">=
    odc-web-brs.onedrive.akadns.net</a>.<br><a href=3D"http://odc-web-brs.onedr= ive.akadns.net">odc-web-brs.onedrive.akadns.net</a>. 36 IN CNAME <a href=3D=
    "http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net= ">odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net</a>.<= br><a href=3D"http://odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004= .l-msedge.net">odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-mse= dge.net</a>. 240 IN CNAME <a href=3D"http://l-0004.l-msedge.net">l-0004.l-m= sedge.net</a>.<br><a href=3D"http://l-0004.l-msedge.net">l-0004.l-msedge.ne= t</a>. 240 IN A 13.107.42.13<br></div></div><div><br></div><div>RPZ wildcar=
    d domain whitelist (passthru) doesn&#39;t seem to work as it should be.=C2= =A0</div><div><br></div><div>I have noticed that the last workable version =
    is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11= .8, 9.11.19 and 9.11.21, and all produce the same issue.</div><div><br></di= v><div>Has anyone experienced a similar issue here? or have I mis-configure= d=C2=A0something?</div><div><br></div><div>Thanks</div><div>myOcella</div><= div><br></div><div></div></div></div>

    --00000000000041aafc05ab7f255b--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From =?utf-8?B?TWljaGHFgiBLxJlwaWXFhA==?=@michal@isc.org to My Ocella on Wed Jul 29 09:46:10 2020
    From Newsgroup: comp.protocols.dns.bind

    RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be.

    I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21,
    and all produce the same issue.

    Has anyone experienced a similar issue here? or have I
    mis-configured something?
    Looks like a match for GL #1619:
    https://gitlab.isc.org/isc-projects/bind9/-/issues/1619
    This will fixed in BIND 9.11.22, which is due in a few weeks.
    If you urgently need a patch against BIND 9.11.21, try this one:
    https://gitlab.isc.org/isc-projects/bind9/-/commit/33ae88f08dabea846aee3be3af8a515fd9774ee1.diff
    Sorry about the trouble!
    --
    Best regards,
    Michał Kępień
    --- Synchronet 3.18a-Linux NewsLink 1.113