Queries related to RPZ
Blason R
blason16 at gmail.com
Tue Apr 17 12:22:01 UTC 2018
Correct and thats what my confusion is.
So, file "zone/test.rpz.dotat.at will hold all my wall-gardened zones?
And I just need keep adding my domain list in that?
On Tue, Apr 17, 2018 at 5:16 PM, Tony Finch <dot at dotat.at> wrote:
> Blason R <blason16 at gmail.com> wrote:
> >
> > I am building DNS RPZ and I am complete no-vice. I will be having around
> > 10-20k zones which my DNS will be wallgardening.
> >
> > Just wondering how this can be done with DNZ RPZ? Since the zones has to
> be
> > included in named.conf.
>
> It sounds to me like you are getting muddled up between the old pre-RPZ
> way of blocking domains, and the way to do it with RPZ.
>
> The old way was to configure a local authoritative zone which would catch
> queries for a domain that you wanted to block - if you wanted tens of
> thousands of blocks you needed tens of thousands of local zones. Not much
> fun.
>
> The RPZ way only requires one zone, and each blocked domain is an entry in
> that zone. A zone with tens of thousands of records is easy.
>
> So, for example, my named.conf includes:
>
> # ...
> response-policy {
> zone "test.rpz.dotat.at";
> }
> break-dnssec yes
> max-policy-ttl 5m
> qname-wait-recurse no
> ;
> # ...
> zone test.rpz.dotat.at {
> type master;
> file "zone/test.rpz.dotat.at";
> masterfile-format raw;
> update-policy local;
> };
> # ...
>
> And in the zone file:
>
> $ORIGIN test.rpz.dotat.at.
> $TTL 3600
> @ IN SOA grey.dotat.at. dot.dotat.at. (
> 69 3600 3600 604800 3600 )
> NS grey.dotat.at.
> badguy.com CNAME .
> *.badguy.com CNAME .
> pills.biz CNAME .
> *.pills.biz CNAME .
> ; more blocked domains...
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> partnership and community in all areas of life
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180417/27f6770e/attachment.html>
More information about the bind-users
mailing list