Join Log in
Score:0
Ror avatar Server

Bind9 Response Policy ignoring out-of-zone data

om flag
Ror

I'm trying to set up response policy on my existing Bind9 server because I'd like to override some of my company public domain to redirect them to our private network ips.

I've followed this tutorial : https://www.linuxbabe.com/ubuntu/set-up-response-policy-zone-rpz-in-bind-resolver-on-debian-ubuntu

However, I'm getting this error for the two domains I'm trying to override :

named[17104]: /etc/bind/zones/db.rpz:17: ignoring out-of-zone data (xxx.mydomain1.com)
named[17104]: /etc/bind/zones/db.rpz:19: ignoring out-of-zone data (yyy.mydomain2.com)
named[17104]: (re)loading policy zone 'rpz' changed from 0 to 2 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries
named[17104]: zone rpz/IN: loaded serial 14

here's my configuration : named.conf.local :

zone "rpz" {
    type master;
    file "/etc/bind/zones/db.rpz";
    allow-transfer { IP_DNS2; };
};

named.conf.options :

options {
        ...OPTIONS...
        response-policy {
                zone "rpz";
        };
}

/etc/bind/zones/db.rpz :

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost.rpz. root.rpz. (
                              14         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

@       IN      NS      localhost.rpz.

localhost.rpz.  A       127.0.0.1

xxx.mydomain.com.    A       PRIVATE_IP

yyy.mydomain2.com.      A       PRIVATE_IP
136
0 + 0
rpz
Score:0
Ror avatar Server
om flag
Ror

I decided to start over and copy db.empty to db.rpz and add the two domains and now it seems to work.

0 + 0
Score:0
avatar Server
fr flag
Tomek

AFAIR LHS should NOT end in . in RPZ zone file.

0 + 0
bjoster avatar
cn flag
bjoster
This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/low-quality-posts/502495)
0
Reply
fr flag
Tomek
Yes, it does. The zone is `rpz` and the names DO NOT belong to it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.