[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Resolving and caching illegal names
From: John Thurston <john.thurston () alaska ! gov>
Date: 2023-01-25 19:00:36
Message-ID: 65370ebb-b7df-d21e-dc93-9a4044ef8a78 () alaska ! gov
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I hadn't had enough coffee when I wrote that. I was doing in-addr.arpa
translation in my head and confusing what was the TLD of the query being
submitted. If a customer is stupid enough to ask for an A-record for
10.1.2.3, then the TLD of that name is "3", not "10" . . duh.
So to make the RPZ work, I needed to stuff the zone file with 256 new
entries. I did this by dusting off my knowledge of the GENERATE
directive (which involved RTFM):
$GENERATE 0-255 *.$ CNAME .
I also needed to populate the "validate-except" option with 256 new
entries. I could find no elegant way to generate, abstract, or 'include'
this, so just needed to put the long string of characters inline:
0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; . . .
and it now behaves as desired; returning an unvalidated NXDOMAIN for
queries for ip addresses.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston@alaska.gov
Department of Administration
State of Alaska
On 1/25/2023 8:36 AM, John Thurston wrote:
>
> Off-list, it was suggested to me that I _could_ handle this in my RPZ,
> by enumerating all 255 illegal TLDs (e.g. *.10 CNAME . )
>
> I tried this, and it works as expected when dnssec validation is
> disabled (either globally, or with "validate-except". My idea right
> now is I can enumerate TLD of the numerics I see in my logs, and
> ignore the rest. I think this will get me what I want, at a level of
> complexity I can accept.
>
[Attachment #5 (text/html)]
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>I hadn't had enough coffee when I wrote that. I was doing
in-addr.arpa translation in my head and confusing what was the TLD
of the query being submitted. If a customer is stupid enough to
ask for an A-record for 10.1.2.3, then the TLD of that name is
"3", not "10" . . duh. <br>
</p>
<p>So to make the RPZ work, I needed to stuff the zone file with 256
new entries. I did this by dusting off my knowledge of the
GENERATE directive (which involved RTFM):</p>
<blockquote>
<p>$GENERATE 0-255 *.$ CNAME .</p>
</blockquote>
<p>I also needed to populate the "validate-except" option with 256
new entries. I could find no elegant way to generate, abstract, or
'include' this, so just needed to put the long string of
characters inline:</p>
<blockquote>
<p>0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; . . .</p>
</blockquote>
<p>and it now behaves as desired; returning an unvalidated NXDOMAIN
for queries for ip addresses.<br>
</p>
<pre class="moz-signature" cols="72">--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a class="moz-txt-link-abbreviated" href="mailto:John.Thurston@alaska.gov">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
<div class="moz-cite-prefix">On 1/25/2023 8:36 AM, John Thurston
wrote:<br>
</div>
<blockquote type="cite" cite="mid:abff327a-4218-da92-6fed-454ecec09148@alaska.gov">
<p>Off-list, it was suggested to me that I _could_ handle this in
my RPZ, by enumerating all 255 illegal TLDs (e.g. *.10 CNAME .
)</p>
<p>I tried this, and it works as expected when dnssec validation
is disabled (either globally, or with "validate-except". My idea
right now is I can enumerate TLD of the numerics I see in my
logs, and ignore the rest. I think this will get me what I want,
at a level of complexity I can accept.</p>
</blockquote>
</body>
</html>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact \
us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic