Queries related to RPZ
Blason R
blason16 at gmail.com
Tue Apr 17 03:22:05 UTC 2018
Hi All,
I am building DNS RPZ and I am complete no-vice. I will be having around
10-20k zones which my DNS will be wallgardening.
Just wondering how this can be done with DNZ RPZ? Since the zones has to be
included in named.conf.
Plus I am practising DNZ RPZ on my test server and its failing. Can someone
please guide? Am I making any mistake here?
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.5.0/24;};
response-policy { zone "google.com"; };
zone "google.com" IN {
type master;
file "rpz.file.db";
};
*****************************************
[root at dnzrpz.isn.in /var/named]# more rpz.file.db
$TTL 1D
@ IN SOA ns1.google.com. root.google.com. (
2 ;
1D ;
1H ;
1W ;
3H ) ;
@ IN NS ns1.google.com.
@ IN A 3.3.3.3
google.com IN CNAME @
www.google.com IN CNAME @
********************************
[root at dnzrpz.isn.in /var/named]# systemctl status named.service -l
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor
preset: disabled)
Active: failed (Result: exit-code) since Tue 2018-04-17 08:50:55 IST;
31s ago
Process: 937 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" ==
"yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo
"Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
*Apr 17 08:50:55 dnzrpz.isn.in <http://dnzrpz.isn.in> bash[937]:
_default/google.com/IN <http://google.com/IN>: bad zone*
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost.localdomain/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 0.in-addr.arpa/IN: loaded
serial 0
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service: control process
exited, code=exited status=1
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Failed to start Berkeley Internet
Name Domain (DNS).
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Unit named.service entered failed
state.
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service failed.
[root at dnzrpz.isn.in /var/named]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180417/3144e7a1/attachment.html>
More information about the bind-users
mailing list