Can't get RPZ to work in local LAN with bind9.10.3
Mario Aeby
private at eMeidi.com
Sun Apr 1 13:08:35 UTC 2018
Hello list,
inspired by Brian Krebs’ article
Omitting the “o” in .com Could Be Costly
https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
this weekend I set out to reconfigure BIND running in my local network to prevent resolving any domain with a «cm» TLD (and, based on further research, a few others known for phishing and spreading malware).
Unfortunately, I can’t make RPZ to work at all.
System:
Linux HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
/etc/debian_version: 9.4
BIND
dpkg --list | grep -i bind9
ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u4 amd64 Internet Domain Name Server
To further debug the problem and not accidentally kill DNS resolving in the household, I set up BIND on a second server (similar OS configuration as stated above, but with a bare minimum BIND configuration to exclude conflicts with advanced configuration options) in the same LAN.
Symptoms (on both servers)
* All queries are logged in /var/log/named/queries.log
* The RPZ log at /var/log/named/rpz.log stays empty no matter what queries I place which should be caught by RPZ
* When using «allow-query { any; };» in the RPZ zone definition I can successfully query BIND for predefined domains (e.g. youtube.com.rpz) and it returns the intended result (ie. the sinkhole address in the local network)
* When querying youtube.com, BIND resolves it to the public and correct address (since I have not configured any forwarders in BIND itself, I assume it uses the production DNS at 10.12.34.12 defined in /etc/resolv.conf (?))
Some log excerpts, if of any use:
default.log
01-Apr-2018 14:39:39.154 general: info: managed-keys-zone: loaded serial 0
01-Apr-2018 14:39:39.163 general: info: zone rpz/IN: loaded serial 2018040103
01-Apr-2018 14:39:39.163 general: notice: all zones loaded
01-Apr-2018 14:39:39.163 general: notice: running
01-Apr-2018 14:39:49.130 general: info: received control channel command 'flush'
01-Apr-2018 14:39:49.130 general: info: flushing caches in all views succeeded
01-Apr-2018 15:01:46.451 general: info: received control channel command 'dumpdb -all'
01-Apr-2018 15:01:46.451 general: info: dumpdb started: -all
01-Apr-2018 15:01:46.673 general: info: dumpdb complete
queries.log
01-Apr-2018 14:31:17.436 queries: info: client 10.12.34.102#59664 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:37:38.574 queries: info: client 10.12.34.102#54125 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:37:47.381 queries: info: client 10.12.34.102#57566 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)
01-Apr-2018 14:39:53.181 queries: info: client 10.12.34.102#58174 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)
01-Apr-2018 14:39:58.196 queries: info: client 10.12.34.102#61735 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:50:02.495 queries: info: client 10.12.34.102#57401 (youtube.com): query: youtube.com IN A +E (10.12.34.11)
01-Apr-2018 14:50:32.661 queries: info: client 10.12.34.102#62122 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11)
rndc -c /etc/rndc.conf dumpdb -all
cat /named_dump.db
...
; Zone dump of 'rpz/IN'
;
rpz. 60 IN SOA localhost. root.localhost. 2018040103 60 60 60 60
rpz. 60 IN NS localhost.
rpz. 60 IN A 10.12.34.11
google.com.rpz. 60 IN A 10.12.34.12
youtube.com.rpz. 60 IN CNAME .
...
This is the following (minimal) configuration on my test server:
named.conf
logging {
channel default {
file "/var/log/named/default.log";
//severity debug 3;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default; };
channel queries {
file "/var/log/named/queries.log";
//severity debug 3;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category queries { queries; };
channel rpz-queries {
file "/var/log/named/rpz.log";
severity debug 3;
//severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category rpz { rpz-queries; };
};
key "rndc-key" {
algorithm hmac-md5;
secret «S1KR1T";
};
controls {
inet * port 953
allow { 127.0.0.1; 10.12.34.11; } keys { "rndc-key"; };
};
zone "rpz" {
type master;
file "/etc/bind/zones/rpz.dns";
//allow-query { none; };
allow-query { any; };
};
named.conf.local
EMPTY
named.conf.options
options {
response-policy { zone "rpz"; };
};
zones/rpz.dns
$TTL 60
@ IN SOA localhost. root.localhost. (
2018040103 ; Serial number
60 ; Refresh
60 ; Retry
60 ; Expire
60 ) ; Minimum TTL
@ IN NS localhost.
@ IN A 10.12.34.11
youtube.com CNAME .
google.com A 10.12.34.12
Resolving examples
$ dig youtube.com @10.12.34.11
; <<>> DiG 9.10.6 <<>> youtube.com @10.12.34.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 300 IN A 172.217.19.174
;; AUTHORITY SECTION:
youtube.com. 172196 IN NS ns1.google.com.
youtube.com. 172196 IN NS ns2.google.com.
youtube.com. 172196 IN NS ns3.google.com.
youtube.com. 172196 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 172196 IN A 216.239.32.10
ns1.google.com. 172196 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 172196 IN A 216.239.34.10
ns2.google.com. 172196 IN AAAA 2001:4860:4802:34::a
ns3.google.com. 172196 IN A 216.239.36.10
ns3.google.com. 172196 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 172196 IN A 216.239.38.10
ns4.google.com. 172196 IN AAAA 2001:4860:4802:38::a
;; Query time: 18 msec
;; SERVER: 10.12.34.11#53(10.12.34.11)
;; WHEN: Sun Apr 01 14:50:02 CEST 2018
;; MSG SIZE rcvd: 311
$ dig youtube.com.rpz @10.12.34.11
; <<>> DiG 9.10.6 <<>> youtube.com.rpz @10.12.34.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38286
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com.rpz. IN A
;; ANSWER SECTION:
youtube.com.rpz. 60 IN CNAME .
;; AUTHORITY SECTION:
. 10161 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018033101 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 10.12.34.11#53(10.12.34.11)
;; WHEN: Sun Apr 01 14:50:32 CEST 2018
;; MSG SIZE rcvd: 132
Thank you for your support
Best regards,
Mario
More information about the bind-users
mailing list