redirect_domain add zone name

[mk-git]

Hi Vadim

If I use redirect_domain or local_cname (example: redirect_url=www.google.com) for a testdomain.com the result in dig looks like this:

;; ANSWER SECTION:
testdomain.com.              5       IN      CNAME   www.google.com.testrpz.ioc2rpz.

I tried redirect_url=www.google.com. but then, the zone file is not transfered anymore. No error output in syslog.

Compiled the latest version from your git repo and created a docker container manually.

[Homas]

1. Did you configured it via GUI or in the config file directly?
2. Could you please provide the configuration of the zone from the config file?

The valid redirect configuration should look like: %Redirect to a domain {rpz,{"localdata-dom.ioc2rpz",7202,3600,2592000,7200,"false","true",[{"redirect_domain","example.com"}],["dnsproxykey_1", "dnsproxykey_2"],"mixed",30,30,["small_ioc"],[],["whitelist_1","whitelist_2"]}}.

And the zone will be generated like: google.com. 900 IN CNAME example.com. *.google.com. 900 IN CNAME example.com.

[mk-git]

I configured it via GUI. Any changes redirect_domain=domain.com or redirect_domain=domain.com. were written in the config file as in your example [{"redirect_domain","domain.com"}] or [{"redirect_domain","domain.com."}]

Config-Snippet:

% rpz record: name, SOA refresh, SOA update retry, SOA expiration, SOA NXDomain TTL, Cache, Wildcards, Action, [tkeys], ioc_type, AXFR_time, IXFR_time, [sources], [notify], [whitelists] {rpz,{"testrpz.ioc2rpz",86400,3600,2592000,7200,"true","true",[{"redirect_url","domain.com"}],["tkey_1"],"fqdn",604800,86400,["COMLOT","local_blacklist_test"],[],["whitelist_1"]}}.

DIG Result on Slave BIND DNS Server:

`>>dig example.com

; <<>> DiG 9.10.3-P4-Debian <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45870 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.com. IN A

;; ANSWER SECTION: example.com. 5 IN CNAME domain.com.testrpz.ioc2rpz.

;; AUTHORITY SECTION: testrpz.ioc2rpz. 7200 IN SOA certmanager.#####.net. noc.#####.##. 1559913720 86400 3600 2592000 7200

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 07 15:22:27 CEST 2019 ;; MSG SIZE rcvd: 151 `

[Homas]

Please check the configuration. The action is defined as {"redirect_url","domain.com"} but should be redirect_domain. Can not recheck configuration generated by GUI right now.

[mk-git]

I checked the configuration. The gui creates it correct.

Sorry, was a spelling mistake on my part. I had already corrected it but not re-copied here in the post. The current config looks like this:

% rpz record: name, SOA refresh, SOA update retry, SOA expiration, SOA NXDomain TTL, Cache, Wildcards, Action, [tkeys], ioc_type, AXFR_time, IXFR_time, [sources], [notify], [whitelists] {rpz,{"testrpz.ioc2rpz",86400,3600,2592000,7200,"true","true",[{"redirect_domain","domain.com"}],["tkey_1"],"fqdn",604800,86400,["COMLOT","local_blacklist_test"],[],["whitelist_1"]}}.

DIG output:

` dig example.com

; <<>> DiG 9.10.3-P4-Debian <<>> example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45870 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.com. IN A

;; ANSWER SECTION: example.com. 5 IN CNAME domain.com.testrpz.ioc2rpz.

;; AUTHORITY SECTION: testrpz.ioc2rpz. 7200 IN SOA certmanager.####.net. noc.####.##. 1559913720 86400 3600 2592000 7200

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 07 15:22:27 CEST 2019 ;; MSG SIZE rcvd: 151 `

==> Short side question: I have a txt file that is linked by URL as a source and a local txt file that I have included with file:/

If the URL or the local file changes, do I have to trigger something? Or in which interval are the files checked?

{source,{"COMLOT","https://blacklist.comlot.ch/comlot_blacklist.txt","[:AXFR:]","^(?!#)(.*)$"}}.
{source,{"local_blacklist_test","file:/opt/ioc2rpz/cfg/blacklist_test.txt","[:AXFR:]","^(?!#)(.*)$"}}.

[mk-git]

I found something: When I use a destination url with 2 characters country "example.ch" it does not work. If I use "example.net" it works.

[Homas]

Confirmed. I was able to reproduce it. I'll take a look on it over the weekend.

Vadim

[Homas]

1. Please provide a few the problem records using zone transfer from ioc2rpz. dig @server -y key_name:key testrpz.ioc2rpz axfr
2. The issue is related to a message compression. I've "turned it off" for the redirect action. ioc2rpz.erl was updated. So you can download only it and try again. I'll properly fix the bug later.
3. Regarding your question when the sources updated - it is defined on a RPZ level - refresh time (AXFR - full, IXFR - incremental). If sources were not updated (checksum) - the zone is not updated as well.

[mk-git]

@xxx.xxx.xxx.xxx -y tkey_1 testrpz.ioc2rpz axfr ; (1 server found) ;; global options: +cmd testrpz.ioc2rpz. 604800 IN SOA xxxxxxxxr.xxxxxxxx.net. xxx.xxxxx.xx. 1560233580 60 3600 2591940 7200 testrpz.ioc2rpz. 604800 IN NS xxxxxxxxxxx.xxxxxxxx.xx. example5.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. .example5.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. example4.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. .example4.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. example3.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. .example3.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. example2.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. .example2.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. example1.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. .example1.com.testrpz.ioc2rpz. 900 IN CNAME test.ch. no-block-domain-c.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. .no-block-domain-c.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. no-block-domain-b.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. .no-block-domain-b.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. no-block-domain-a.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. .no-block-domain-a.tld.testrpz.ioc2rpz. 900 IN CNAME test.ch. testrpz.ioc2rpz. 604800 IN SOA xxxxxxxxr.xxxxxxxx.net. xxx.xxxxx.xx. 1560233580 60 3600 2591940 7200 tkey_1. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1560235060 300 16 uvbEGaWU83hLNPnnp7JvHA== 24964 NOERROR 0 ;; Query time: 1 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Tue Jun 11 08:37:40 CEST 2019 ;; XFR size: 19 records (messages 1, bytes 747)

2. Domains with two-digit country codes will work with your last update. Thanks a lot for this.

3. I have a local blacklist.txt. The RPZ zone has the following SOA values:

SOA Refresh 60 SOA Update 3600 SOA zone exp 2591940 SOA NXDOMAIN TTL 7200

Zone full update time 20 Zone full incremental time 20

I see in the log that the source is checked every 20 seconds. However, it is reported that the source is being loaded from the cache.

Got source "local_blacklist_test" from cache Got source "whitelist_1" from cache Zone "testrpz.ioc2rpz" is the same. Checked in 19 seconds, check timestamp 1560235440

After approx. 8 minutes:

Source "local_blacklist_test" was expired in cache Source: "local_blacklist_test", size: 78/bytes (78), MD5: "699ff08ad373a4b581e2cb43a5eab689" Source: "local_blacklist_test", got 6 indicators, clean time 0

Then the file is read in, the zone is updated in the ioc2rpz and the zone transfer is successfully carried out to the secondary.

Can I set the "File-Cache-Time" somewhere?

[Homas]

1. Looks good.
2. Thanks for the confirmation. This is an intermediate fix and full fix will be delivered later.
3. "HotCacheTime" is set to 900 seconds. You can change it in ioc2rpz.hrl

[mk-git]

If I change something in ioc2rpz.hrl, do I have to rebuild the docker container? I have now put the include directory on the host with Docker mount, copied the ioc2rpz.hrl there, adjusted it and restarted the container. But I do not see that the attitude has changed.

[Homas]

Yes. You need to rebuild the container.

[Homas]

Fixed in 0.9.4.0