Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

NIOS DNS DHCP IPAM

Reply

local RPZ zone working locally only

[ Edited ]
Member
Posts: 1
222     1

Hi,

I am trying to test local RPZ functionality on my lab. I followed this guide https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-implementing-infoblox-dns-fire...

it is working locally only! (using dig from grid master cli)

Infoblox > dig x.x.com

; <<>> DiG 9.11.3-S3 <<>> +noedns x.x.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51460
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;x.x.com.                       IN      A

;; ANSWER SECTION:
x.x.com.                28800   IN      A       2.2.2.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 22 16:49:00 CET 2022
;; MSG SIZE  rcvd: 41

But it is not working from my machine in the same subnet

# dig @<SERVER-IP> x.x.com

; <<>> DiG 9.9.5-3ubuntu0.19-Ubuntu <<>> @<SERVER-IP> x.x.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;x.x.com.                       IN      A

;; Query time: 2 msec
;; SERVER: <SERVER-IP>#53(<SERVER-IP>)
;; WHEN: Tue Mar 22 16:50:32 CET 2022
;; MSG SIZE  rcvd: 36

Here is the message I got from syslog:

client @0x7f5cbc4c19b0 <Client-IP>#50213 (x.x.com): query 'x.x.com/A/IN' denied

By checking the member config, I can see that there is indeed an auto created list with the localhost only 

Alghouth I didn't have this option while creating the zone!!

 

zone "x.com" in { # x.com
	# default TTL = 28800;
	type master;
	database infoblox_zdb;
	masterfile-format raw;
	file "azd/db.x.com._default";
	allow-update { any;  };
	allow-query { 127.0.0.1; };
	notify yes;
    };

I tried changing "Match cleints" from "None" to "Named ACL" with "allow all" @the Grid level/member/DNS view levels with no lock

How can I remove this entry and allow it from any client?

Showing results for 
Search instead for 
Did you mean: 

Recommended for You