Queries related to RPZ

Tue Apr 17 03:22:05 UTC 2018

Hi All,

I am building DNS RPZ and I am complete no-vice. I will be having around
10-20k zones which my DNS will be wallgardening.

Just wondering how this can be done with DNZ RPZ? Since the zones has to be
included in named.conf.

Plus I am practising DNZ RPZ on my test server and its failing. Can someone
please guide? Am I making any mistake here?

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.5.0/24;};
        response-policy { zone "google.com"; };

zone "google.com" IN {
        type master;
        file "rpz.file.db";
        };

*****************************************

[root at dnzrpz.isn.in /var/named]# more rpz.file.db
$TTL    1D
@       IN      SOA     ns1.google.com. root.google.com. (
                                        2       ;
                                        1D      ;
                                        1H      ;
                                        1W      ;
                                        3H )    ;
@       IN      NS      ns1.google.com.
@       IN      A       3.3.3.3

google.com      IN      CNAME   @
www.google.com  IN      CNAME   @

********************************

[root at dnzrpz.isn.in /var/named]# systemctl status named.service -l
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since Tue 2018-04-17 08:50:55 IST;
31s ago
  Process: 937 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" ==
"yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo
"Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)

*Apr 17 08:50:55 dnzrpz.isn.in <http://dnzrpz.isn.in> bash[937]:
_default/google.com/IN <http://google.com/IN>: bad zone*
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost.localdomain/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 0.in-addr.arpa/IN: loaded
serial 0
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service: control process
exited, code=exited status=1
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Failed to start Berkeley Internet
Name Domain (DNS).
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Unit named.service entered failed
state.
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service failed.
[root at dnzrpz.isn.in /var/named]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180417/3144e7a1/attachment.html>