RPZ configuration examples
Paul Vixie
vixie at isc.org
Mon Nov 21 14:53:12 UTC 2011
noting, first: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
second, as to the particulars:
babu dheen <babudheen at yahoo.co.in> writes:
> We are new to BIND and would like to implement RPZ in BIND. I have a
> following queries with respect to RPZ in BIND.
>
> 1. Do you have basic example/steps to configure RPZ in Bind? ( I need
> couple of examples like /etc/named.conf file and zone files for rpz
in my recursive server's named.conf file, in the options{} block, i have:
response-policy {
zone "dns-policy.vix.com";
zone "rpz.surbl.org";
zone "rpz.spamhaus.org";
zone "block.c2.rpz.umbradata.com";
zone "hh.c2.rpz.umbradata.com";
zone "active.nx.rpz.iidrpz.net";
zone "dga.nx.rpz.iidrpz.net";
};
all but the first of these is a "slave" zone that i subscribe to. the first
one is my local policy, and that zone looks like:
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
; eric ziegast suggestions
11.156.21.46.32.rpz-ip CNAME *.
96.177.58.207.32.rpz-ip CNAME *.
; pedro bueno suggestions
14.53.199.94.32.rpz-ip CNAME *.
; android market scammer
softthrifty.com CNAME .
*.softthrifty.com CNAME .
; spam houses
*.verticalresponse.com CNAME .
; imports
$INCLUDE "drop/drop.inc"
$INCLUDE "drop/bogons.inc"
the two $INCLUDE files are generated by a perl script using data imported
from Team Cymru and Spamhaus. that method is described at in blog post at:
http://www.circleid.com/posts/using_domain_filtering_to_effect_ip_address_filtering/
drop.inc begins as follows:
24.0.140.196.109.rpz-ip CNAME .
*.140.196.109.in-addr.arpa CNAME .
22.0.212.94.109.rpz-ip CNAME .
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
bogons.inc begins as follows:
8.0.0.0.0.rpz-ip CNAME .
*.0.in-addr.arpa CNAME .
10.0.0.64.5.rpz-ip CNAME .
*.64.5.in-addr.arpa CNAME .
*.65.5.in-addr.arpa CNAME .
*.66.5.in-addr.arpa CNAME .
*.67.5.in-addr.arpa CNAME .
*.68.5.in-addr.arpa CNAME .
*.69.5.in-addr.arpa CNAME .
a copy of the perl script that generates these is online at:
http://nsa.vix.com/~vixie/lasso2rpz.pl
> 2. If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query?
no. all RPZ control plane information is held locally in the recursive
server. per the specification at:
https://deepthought.isc.org/article/AA-00512/0
we see this text:
A DNS Response Policy Zone (RPZ) is a DNS zone, and as such its
contents can be transferred between servers (DNS AXFR/IXFR),
protected by transaction signatures (DNS TSIG), and expedited by
real time change notifications (DNS NOTIFY), all subject to
familiar DNS access controls. An RPZ usually does not support query
access since it is never required for correct operation. Rather it
is the zone transfer of RPZ content from producers to subscribers
which effectively publishes the policy data, and it is the
transferee's server configuration which promotes RPZ payload data
into DNS control plane data.
> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response?
yes. that is one of the intended uses of DNS RPZ.
> If you can help on this, it will be very much helpful to understand
> and implement RPZ in our enterprise.
while this discussion is on-topic for bind-users at isc.org ("here"), there
is also a mailing list specific to DNS RPZ. to subscribe, visit:
https://lists.isc.org/mailman/listinfo/dnsrpz-interest
noting, again: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
thank you for your interest in DNS RPZ.
--
Paul Vixie
KI6YSY
More information about the bind-users
mailing list