lost and found ( for me ? )

BIND 9.8 beta : Response Policy Zone ( RPZ )

what’s RPZ ? plz see below link :)
ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

You can check RPZ functions w/ BIND 9.8.x.
I checked out RPZ on BIND 9.8.0b1 which is available at www.isc.org.
BIND 9.7.3 rc1 doesn’t seem to have PRZ features.

I compiled BIND 9.8.0b1 on Ubuntu 10.04 w/ following options
1603  ./configure --sysconfdir=/etc/bind
1604  make
1605  make install


[ Quick test ]

# /usr/local/sbin/named -v
BIND 9.8.0b1


edit named.conf.
options {
       #add for RPZ
       response-policy { zone "rpz.zone"; };
};

# define RPZ
zone "rpz.zone" {
       type master;
       file "db.rpz.zone";
       allow-query { any; };
       allow-update { none; };
};


create RPZ file.
# cat /var/cache/bind/db.rpz.zone
;RPZ
$TTL 10
@       IN SOA rpz.zone. rpz.zone. (
       01;
       3600;
       300;
       86400;
       60 )
       IN      NS      localhost.

bad1.domain     IN      CNAME   walled-garden.localhost.
*.bad1.domain   IN      CNAME   walled-garden.localhost.

bad2.domain     IN      CNAME *.
*.bad2.domain   IN      CNAME *.

bad3.domain     IN      CNAME .
*.bad3.domain   IN      CNAME .

*.bad4.domain   IN      MX      0 mail.hello.com.
*.bad4.domain   IN      A       192.168.0.10

www.bad5.domain IN      A       192.168.0.10


start BIND.
root@ubuntu-7:~# /usr/local/sbin/named

root@ubuntu-7:~# rndc status
version: 9.8.0b1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running


-  qname bad1.domain , all query types matches “bad1.domain     IN      CNAME   walled-garden.localhost.”
 
BIND will return NXDOMAIN and CNAME walled-garden.localhost in answer section.

query type : A
root@ubuntu-7:~# dig @127.1 bad1.domain a

; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45819
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad1.domain.                   IN      A

;; ANSWER SECTION:
bad1.domain.            10      IN      CNAME   walled-garden.localhost.

;; AUTHORITY SECTION:
localhost.              0       IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800


query tyep : MX
root@ubuntu-7:~# dig @127.1 bad1.domain mx

; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13597
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad1.domain.                   IN      MX

;; ANSWER SECTION:
bad1.domain.            10      IN      CNAME   walled-garden.localhost.

;; AUTHORITY SECTION:
localhost.              0       IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800


query type : SOA
root@ubuntu-7:~# dig @127.1 bad1.domain soa

; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34548
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad1.domain.                   IN      SOA

;; ANSWER SECTION:
bad1.domain.            10      IN      CNAME   walled-garden.localhost.

;; AUTHORITY SECTION:
localhost.              0       IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800



- subdomains of bad1.domain matches “ *.bad1.domain   IN      CNAME   walled-garden.localhost. “

root@ubuntu-7:~# dig @127.1 abc.bad1.domain a

; <<>> DiG 9.8.0b1 <<>> @127.1 abc.bad1.domain a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19603
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.bad1.domain.               IN      A

;; ANSWER SECTION:
abc.bad1.domain.        10      IN      CNAME   walled-garden.localhost.

;; AUTHORITY SECTION:
localhost.              604800  IN      SOA     localhost. root.localhost. 2 604800 86400 2419200 604800


- CNAME *. returns NOERROR

bad2.domain     IN      CNAME *.
root@ubuntu-7:~# dig @127.1 bad2.domain mx

; <<>> DiG 9.8.0b1 <<>> @127.1 bad2.domain mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40737
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad2.domain.                   IN      MX

;; AUTHORITY SECTION:
rpz.zone.               10      IN      SOA     rpz.zone. rpz.zone. 2011012502 3600 300 86400 60


*.bad2.domain   IN      CNAME *.
root@ubuntu-7:~# dig @127.1 abc.bad2.domain any

; <<>> DiG 9.8.0b1 <<>> @127.1 abc.bad2.domain any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57563
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.bad2.domain.               IN      ANY

;; AUTHORITY SECTION:
rpz.zone.               10      IN      SOA     rpz.zone. rpz.zone. 2011012502 3600 300 86400 60


- CNAME . returns NXDOMAIN

bad3.domain     IN      CNAME .
root@ubuntu-7:~# dig @127.1 bad3.domain aaaa

; <<>> DiG 9.8.0b1 <<>> @127.1 bad3.domain aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29273
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad3.domain.                   IN      AAAA

;; AUTHORITY SECTION:
rpz.zone.               10      IN      SOA     rpz.zone. rpz.zone. 2011012502 3600 300 86400 60


*.bad3.domain   IN      CNAME .
root@ubuntu-7:~# dig @127.1 zzz.bad3.domain mx

; <<>> DiG 9.8.0b1 <<>> @127.1 zzz.bad3.domain mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;zzz.bad3.domain.               IN      MX

;; AUTHORITY SECTION:
rpz.zone.               10      IN      SOA     rpz.zone. rpz.zone. 2011012502 3600 300 86400 60


- in the following case , only subdomains of bad4.domain will be affected
 you can write specific query names n’ query types in RPZ.

*.bad4.domain   IN      MX      0 mail.hello.com.
*.bad4.domain   IN      A       192.168.0.10

bad4.domain will not be affected.
root@ubuntu-7:~# dig @127.1 bad4.domain a

; <<>> DiG 9.8.0b1 <<>> @127.1 bad4.domain a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21053
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad4.domain.                   IN      A

;; AUTHORITY SECTION:
.                       10729   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2011012401 1800 900 604800 86400


query type MX matches *.bad4.domain   IN      MX      0 mail.hello.com.
root@ubuntu-7:~# dig @127.1 bbb.bad4.domain mx

; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16689
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;bbb.bad4.domain.               IN      MX

;; ANSWER SECTION:
bbb.bad4.domain.        10      IN      MX      0 mail.hello.com.

;; AUTHORITY SECTION:
rpz.zone.               10      IN      NS      localhost.

;; ADDITIONAL SECTION:
localhost.              604800  IN      A       127.0.0.1
localhost.              604800  IN      AAAA    ::1


query type A matches *.bad4.domain   IN      A       192.168.0.10
root@ubuntu-7:~# dig @127.1 bbb.bad4.domain a

; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;bbb.bad4.domain.               IN      A

;; ANSWER SECTION:
bbb.bad4.domain.        10      IN      A       192.168.0.10

;; AUTHORITY SECTION:
rpz.zone.               10      IN      NS      localhost.

;; ADDITIONAL SECTION:
localhost.              604800  IN      A       127.0.0.1
localhost.              604800  IN      AAAA    ::1


As for query types except for A n’ MX , there are no RRs in the RPZ.
In that case , BIND will return NOERROR and auth section.

root@ubuntu-7:~# dig @127.1 bbb.bad4.domain ns

; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25888
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bbb.bad4.domain.               IN      NS

;; AUTHORITY SECTION:
rpz.zone.               10      IN      SOA     rpz.zone. rpz.zone. 2011012502 3600 300 86400 60


- you can set policy how BIND respond
#       response-policy { zone "rpz.zone"; };
       response-policy { zone "rpz.zone" policy NO-OP; };


when specifying NO-OP , BIND won’t change any answers if BIND receives queries that matches RPZ..
query “www.bad5.domain” maches “www.bad5.domain IN      A       192.168.0.10” RR.
However BIND won’t change answers because I specified “policy NO-OP”.

root@ubuntu-7:~# dig @127.1 www.bad5.domain

; <<>> DiG 9.8.0b1 <<>> @127.1 www.bad5.domain
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40398
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.bad5.domain.               IN      A

;; AUTHORITY SECTION:
.                       10782   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2011012501 1800 900 604800 86400


Thx for dorpping by :)