RPZ and DNS traffic on the server
Alex K
rightkicktech at gmail.com
Tue Feb 12 13:50:29 UTC 2019
Hi all,
I have a RPZ setup to whitelist several domains.
The issue I am facing is that, even though domains are blocked, the cashing
DNS server still proceeds to resolve the domain. The bahavior that I was
hoping to see is the server to not bother resolving the domain if the RPZ
policy replies with NXDOMAIN (domain does not exist).
The bind I am running is 9.10.3.
I have the following configuration:
options {
directory "/var/cache/bind";
allow-recursion { localhost; auth; };
allow-query { localhost; };
allow-transfer { "none"; };
querylog yes;
forwarders {
208.67.222.222;
208.67.220.220;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
view "lan" {
match-clients { lan; };
allow-query-cache { localhost; lan; };
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
};
"lan" and "auth" are defined ACLs.
The RPZ policies and zones are loaded from /etc/bind/named.conf.local, as
below:
response-policy { zone "rpz-whitelist-lan"; zone "rpz-blackhole"; };
zone "rpz-whitelist-lan" {
type master;
file "/var/cache/bind/rpz-whitelist-lan.db";
allow-query { none; };
allow-transfer { none; };
};
zone "rpz-blackhole" {
type master;
file "/var/cache/bind/rpz-blackhole.db";
allow-query { none; };
allow-transfer { none; };
};
The content of the rpz-whitelist-lan zone are:
$TTL 1
@ IN SOA localhost. root.localhost. (
2019021107 ; Serial
3H ; Refresh
1H ; Retry
1W ; Expire
60 ) ; Negative Cache TTL
IN NS localhost.
; whitelist
google.com IN CNAME rpz-passthru.
eset.com IN CNAME rpz-passthru.
while the content of the rpz-blackhole is:
$TTL 60
@ IN SOA localhost. root.localhost. (
2019021107 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1H) ; minimum
IN NS localhost.
* CNAME .
The configuration is ok, and the whitelisting is functioning as expected,
but I see that the DNS server still generates DNS traffic when querying
domains that are not listed in the whitelist, while the client correctly
received "domain does not exist".
Is this expected behaviour? Is there any way to make the server avoid
proceeding with the resolution, when the initial client requests is
blocked?
Thanx,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190212/e65a3b07/attachment.html>
More information about the bind-users
mailing list