Can't get RPZ to work in local LAN with bind9.10.3

Mario Aeby private at eMeidi.com
Sun Apr 1 13:08:35 UTC 2018 

Hello list,

inspired by Brian Krebs’ article

Omitting the “o” in .com Could Be Costly
https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/

this weekend I set out to reconfigure BIND running in my local network to prevent resolving any domain with a «cm» TLD (and, based on further research, a few others known for phishing and spreading malware).

Unfortunately, I can’t make RPZ to work at all.

System:
Linux HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
/etc/debian_version: 9.4

BIND
dpkg --list | grep -i bind9
ii  bind9                               1:9.10.3.dfsg.P4-12.3+deb9u4   amd64        Internet Domain Name Server

To further debug the problem and not accidentally kill DNS resolving in the household, I set up BIND on a second server (similar OS configuration as stated above, but with a bare minimum BIND configuration to exclude conflicts with advanced configuration options) in the same LAN.

Symptoms (on both servers)
* All queries are logged in /var/log/named/queries.log
* The RPZ log at /var/log/named/rpz.log stays empty no matter what queries I place which should be caught by RPZ
* When using «allow-query { any; };» in the RPZ zone definition I can successfully query BIND for predefined domains (e.g. youtube.com.rpz) and it returns the intended result (ie. the sinkhole address in the local network)
* When querying youtube.com, BIND resolves it to the public and correct address (since I have not configured any forwarders in BIND itself, I assume it uses the production DNS at 10.12.34.12 defined in /etc/resolv.conf (?))

Some log excerpts, if of any use:

default.log
01-Apr-2018 14:39:39.154 general: info: managed-keys-zone: loaded serial 0
01-Apr-2018 14:39:39.163 general: info: zone rpz/IN: loaded serial 2018040103
01-Apr-2018 14:39:39.163 general: notice: all zones loaded
01-Apr-2018 14:39:39.163 general: notice: running
01-Apr-2018 14:39:49.130 general: info: received control channel command 'flush'
01-Apr-2018 14:39:49.130 general: info: flushing caches in all views succeeded
01-Apr-2018 15:01:46.451 general: info: received control channel command 'dumpdb -all'
01-Apr-2018 15:01:46.451 general: info: dumpdb started: -all
01-Apr-2018 15:01:46.673 general: info: dumpdb complete

queries.log
01-Apr-2018 14:31:17.436 queries: info: client 10.12.34.102#59664 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:37:38.574 queries: info: client 10.12.34.102#54125 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:37:47.381 queries: info: client 10.12.34.102#57566 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)
01-Apr-2018 14:39:53.181 queries: info: client 10.12.34.102#58174 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)
01-Apr-2018 14:39:58.196 queries: info: client 10.12.34.102#61735 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:50:02.495 queries: info: client 10.12.34.102#57401 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:50:32.661 queries: info: client 10.12.34.102#62122 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)

rndc -c /etc/rndc.conf dumpdb -all
cat /named_dump.db
...
; Zone dump of 'rpz/IN'
;
rpz.					      60 IN SOA		localhost. root.localhost. 2018040103 60 60 60 60
rpz.					      60 IN NS		localhost.
rpz.					      60 IN A		10.12.34.11
google.com.rpz.				      60 IN A		10.12.34.12
youtube.com.rpz.			      60 IN CNAME	.
...

This is the following (minimal) configuration on my test server:

named.conf
logging {
  channel default {
    file "/var/log/named/default.log";
    //severity debug 3;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default { default; };

  channel queries {
    file "/var/log/named/queries.log";
    //severity debug 3;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category queries { queries; };

  channel rpz-queries {
    file "/var/log/named/rpz.log";
    severity debug 3;
    //severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category rpz { rpz-queries; };
};

key "rndc-key" {
    algorithm hmac-md5;
    secret «S1KR1T";
};

controls {
    inet * port 953
    allow { 127.0.0.1; 10.12.34.11; } keys { "rndc-key"; };
};

zone "rpz" {
    type master;
    file "/etc/bind/zones/rpz.dns";
    //allow-query { none; };
    allow-query { any; };
};

named.conf.local
EMPTY

named.conf.options
options {
        response-policy    { zone "rpz"; };
};

zones/rpz.dns
$TTL 60
@	IN SOA	localhost. root.localhost. (
				 2018040103    ; Serial number
				 60            ; Refresh
				 60            ; Retry
				 60            ; Expire
				 60          ) ; Minimum TTL
@	IN NS	localhost.
@   	IN A    10.12.34.11
youtube.com CNAME .
google.com A 10.12.34.12

Resolving examples
$ dig youtube.com @10.12.34.11

; <<>> DiG 9.10.6 <<>> youtube.com @10.12.34.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com.			IN	A

;; ANSWER SECTION:
youtube.com.		300	IN	A	172.217.19.174

;; AUTHORITY SECTION:
youtube.com.		172196	IN	NS	ns1.google.com.
youtube.com.		172196	IN	NS	ns2.google.com.
youtube.com.		172196	IN	NS	ns3.google.com.
youtube.com.		172196	IN	NS	ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172196	IN	A	216.239.32.10
ns1.google.com.		172196	IN	AAAA	2001:4860:4802:32::a
ns2.google.com.		172196	IN	A	216.239.34.10
ns2.google.com.		172196	IN	AAAA	2001:4860:4802:34::a
ns3.google.com.		172196	IN	A	216.239.36.10
ns3.google.com.		172196	IN	AAAA	2001:4860:4802:36::a
ns4.google.com.		172196	IN	A	216.239.38.10
ns4.google.com.		172196	IN	AAAA	2001:4860:4802:38::a

;; Query time: 18 msec
;; SERVER: 10.12.34.11#53(10.12.34.11)
;; WHEN: Sun Apr 01 14:50:02 CEST 2018
;; MSG SIZE  rcvd: 311

$ dig youtube.com.rpz @10.12.34.11

; <<>> DiG 9.10.6 <<>> youtube.com.rpz @10.12.34.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38286
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com.rpz.		IN	A

;; ANSWER SECTION:
youtube.com.rpz.	60	IN	CNAME	.

;; AUTHORITY SECTION:
.			10161	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018033101 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 10.12.34.11#53(10.12.34.11)
;; WHEN: Sun Apr 01 14:50:32 CEST 2018
;; MSG SIZE  rcvd: 132

Thank you for your support
Best regards,
Mario

More information about the bind-users mailing list