I use RPZ to blacklist some domains and my configuration looks like:
> *.com A 127.0.0.1
> mydomain.net A 127.0.0.1
if i query a whatever domain .com it works correctly giving me 127.0.0.1
let's
dig fun.com @localhost, my reply will be:
;; ANSWER SECTION:
fun.com. 5 IN A 127.0.0.1
now let's edit the previous config and make my zone now look like:
> *.com A 127.0.0.1
mydomain.net A 127.0.0.1
**this.fun.com 127.0.0.1**
It's unnecessary because the master *.com should cover all the cases however I have my domains loaded by multiple sources so the list is compiled automatically and things like this can happen.
While this seems to be an harmless change and if I do dig this.fun.com @localhost it will reply again stuff like:
;; ANSWER SECTION:
this.fun.com. 5 IN A 127.0.0.1
If I now query the root domain dig fun.com @localhost I will get:
;; ANSWER SECTION:
fun.com. 86400 IN A 209.61.131.188
**Like.. WHAAT? What happened here? adding this.fun.com masked out fun.com main domain from the upper omni-inclusive *.com?**
Is this a wanted behaviour of bind? Did I found some kind of weird bug?
How can avoid this? Should I write a script that recurse all the domains removing the ones contained into the bigger ones? (annoying but doable - in search of better alternatives)
**TL;DR: Add of a 3rd level domain in bind rpz in order to BLACKLIST IT make the 2nd level domain not follow the main FILTER resulting WHITELISTED.**
Asked by user3450548
(3094 rep)
Apr 4, 2016, 11:17 PM
Last activity: Mar 3, 2018, 08:09 PM
Last activity: Mar 3, 2018, 08:09 PM