Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Can a CNAME being blocked cause NXDOMAIN?

Authority
Posts: 22
5620     0

Here we can see the CNAME for microsoft.com is getting blocked by the rpz rule.


The IP address is 23.8.232.48. 


Can one cname being blocked by rpz cause this nxdomain? MS has multiple IPs when I try nslookup or dig shouldn't I get an IP from there?

 

Also this cname IP is not even mentioned in the dig output so why is this exactly happening?


2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info 28-Feb-2019 12:37:33.666 client 10.65.128.231#50119: UDP: query: www.microsoft.com IN AAAA response: NOERROR + www.microsoft.com. 1210 IN CNAME www.microsoft.com-c-3.edgekey.net.; www.microsoft.com-c-3.edgekey.net. 1280 IN CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.; www.microsoft.com-c-3.edgekey.net.globalr... IN CNAME e13678.dspb.akamaiedge.net.; e13678.dspb.akamaiedge.net. 16 IN AAAA 2a02:26f0:c00:4a2::356e; e13678.dspb.akamaiedge.net. 16 IN AAAA 2a02:26f0:c00:4ab::356e; e13678.dspb.akamaiedge.net. 16 IN AAAA 2a02:26f0:c00:495::356e;


2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info client 10.65.128.231#60231 (www.microsoft.com): query: www.microsoft.com IN A + (10.1.31.105)
2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info CEF:0|Infoblox|NIOS|8.3.0-EA-364873|RPZ-IP|NXDOMAIN|8|app=DNS dst=10.1.31.105 src=10.65.128.231 spt=60231 view=_default qtype=A msg="rpz IP NXDOMAIN rewrite e13678.dspb.akamaiedge.net [A] via 32.48.232.8.23.rpz-ip.testrule"


2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info 28-Feb-2019 12:37:33.786 client 10.65.128.231#60231: UDP: query: www.microsoft.com IN A response: NXDOMAIN +

 

Thanks!

Re: Can a CNAME being blocked cause NXDOMAIN?

Adviser
Posts: 109
5621     0

Looking at the syslog data, we can extrapolate that you have the RPZ policy with the name "testrule" set to block the IP in question (23.8.232.48.32 as it is reversed in the logs IIRC) and return an nxdomain response in return.

 

Whenever something in an answer is blocked, the entire query response is affected and not just the individual answer. And for RPZ rules, you have options to block with an NXDOMAIN or NODATA response.

 

Using your syslong message, I have moved the helpful parts of the log message that explain this down to their own lines with leading hyphens.

 

2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info client 10.65.128.231#60231 (www.microsoft.com): query: www.microsoft.com IN A + (10.1.31.105)
2019-02-28T12:37:33+04:00 daemon zcpdns.acmeinc.com named[29021]: info CEF:0|Infoblox|NIOS|8.3.0-EA-364873|RPZ-IP|NXDOMAIN|8|app=DNS dst=10.1.31.105 src=10.65.128.231 spt=60231 view=_default qtype=A msg="

- rpz IP NXDOMAIN

- rewrite e13678.dspb.akamaiedge.net [A]

- via 32.48.232.8.23.rpz-ip.testrule"

 

 

Hope this helps.

 

Regards,

Tony

Re: Can a CNAME being blocked cause NXDOMAIN?

Authority
Posts: 22
5621     0

Whenever something in an answer is blocked, the entire query response is affected and not just the individual answer. And for RPZ rules, you have options to block with an NXDOMAIN or NODATA response.

 

---------

 

Thats what i was looking for, thanks!

Showing results for 
Search instead for 
Did you mean: 

Recommended for You