Can't get RPZ to work in local LAN with bind9.10.3
Lee
ler762 at gmail.com
Sun Apr 1 15:54:00 UTC 2018
On 4/1/18, Mario Aeby wrote:
> Hello list,
>
> inspired by Brian Krebs’ article
>
> Omitting the “o” in .com Could Be Costly
> https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
>
> this weekend I set out to reconfigure BIND running in my local network to
> prevent resolving any domain with a «cm» TLD (and, based on further
> research, a few others known for phishing and spreading malware).
>
> Unfortunately, I can’t make RPZ to work at all.
I know the feeling :(
This is what I have in named.conf for RPZ:
options {
...
response-policy { zone "rpz.zone" log yes; } break-dnssec yes
recursive-only no;
...
}
zone "rpz.zone" { type master; notify no; file "ZONES/rpz.zone"; };
# Response Policy Zone (RPZ) - aka DNS Firewall
# official docs are useless so use this
# http://zytrax.com/books/dns/ch7/rpz.html
& I just added this bit to ZONES/rpz.zone:
; kill the whole domain
*.cm CNAME .
; except for
*.cnn.cm CNAME rpz-passthru.
C:\Users\Lee>nslookup
> www.aol.cm.
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find www.aol.cm: NXDOMAIN
> www.cnn.cm.
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: www.cnn.cm
Address: 165.160.15.20
Name: www.cnn.cm
Address: 165.160.13.20
> hulu.cm.
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find hulu.cm: NXDOMAIN
> www.hulu.cm.
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find www.hulu.cm: NXDOMAIN
>
altho... if you want to block the whole domain, why not just block it?
resolv.conf gets this line
zone "cm" { type master; notify no; file "ZONES/null.zone"; };
and ZONES/null.zone looks like
; null.zone
; return NXDOMAIN for any name lookup in this zone
$TTL 1d
@ IN SOA localhost. admin.home. (
2017010100 ; Serial
6h ; Refresh
15 ; Retry
1d ; Expire
1h ) ; Minimum
IN NS localhost.
Regards,
Lee
More information about the bind-users
mailing list