I am testing out the BIND Response Policy Zone feature on our lab DNS server. We run a RHEL 6 server with BIND 9.8.2. I have followed the instructions here but I can't get it to work. Here is what I know:
1) The DNS server DOES respond to queries for hosts found in other zones
2) My RPZ zone loads successfully, as can be seen here:
Jan 28 12:00:13 labdns named[26564]: zone rpz/IN: loaded serial 2015012816
But here is what I see in /var/log/messages when I query for a domain found in the RPZ zone:
Jan 28 11:52:54 labdns named[26060]: client 192.168.254.202#38524: query (cache) 'x99moyu.net/A/IN' denied
I have seen this behavior before but only when you have recursion off and you query for a host that is not found in a zone file. Here is my RPZ zone db file:
$TTL 86400
@ IN SOA localhost. root.localhost. (
2015012816 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ; minimum
)
@ IN NS lab.testdns.net.
; Response Policy for x99moyu.net
x99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for ix99moyu.net
ix99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for duobao369.com
duobao369.com IN A 127.0.0.1
IN AAAA ::1
I have tried putting dots both in front and behind the domain names but that did not help and the instructions say not to use dots anyway.
Here is my /etc/named.conf file:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 192.168.155.128; }; #Master DNS Servers IP
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.155.0/24; 192.168.254.0/23; 192.168.160.0/24; }; # IP range of hosts
allow-transfer { localhost; 192.168.254.202; }; # Slave DNS server
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
zone-statistics yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
response-policy { zone "rpz"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel rpz-queries {
file "/var/log/bind/rpz.log" versions 10 size 50m;
severity info;
};
category rpz {
rpz-queries;
};
};
zone"rpz" IN {
type master;
file "/var/named/db.rpz";
notify yes;
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
I am not sure how to move forward or how to debug this further. Any help is appreciated.
EDIT - Here is the output from a dig command. This is where I see the "refused" message
dig @192.168.155.128 x99moyu.net
; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> @192.168.155.128 x99moyu.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51880
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x99moyu.net. IN A
;; Query time: 1 msec
;; SERVER: 192.168.155.128#53(192.168.155.128)
;; WHEN: Thu Jan 28 12:30:08 CST 2016
;; MSG SIZE rcvd: 40
