Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15977
| From | Daniel Stirnimann <daniel.stirnimann@switch.ch> |
|---|---|
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: scripts-to-block-domains |
| Date | 2020-07-14 08:24 +0200 |
| Message-ID | <mailman.705.1594707873.942.bind-users@lists.isc.org> (permalink) |
| References | <117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa> <7f14c6fc-804e-bca2-96f0-eb4c71d088e1@tnetconsulting.net> <134f01d659a5$3cbf3c50$b63db4f0$@cyberia.net.sa> <5035726e-9134-8a55-ec0d-66987b9b4057@switch.ch> |
Hello Mohammed,
I don't see that you specified a "response-policy" [1] statement. You
need something like this as well:
response-policy {
zone "rpz.local" policy given;
}
// Apply RPZ policy to DNSSEC signed zones
break-dnssec yes
;
[1]
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-policy-zone-rpz-rewriting
Daniel
On 14.07.20 08:08, MEjaz wrote:
> Hello all,
>
>
>
> Thanks for every one’s contribution. I use RPZ and listed 5000 forged
> domain to block it in a particular zone without having addiotnal
> zones, I hope that’s the feature of RPZ, Seems good.
>
>
>
> Below is snippet for your review for the zone and file db.rpz.local
> which was copied from the default named.empty.
>
>
>
> zone "rpz.local" {
>
> type master;
>
> file "db.rpz.local";
>
> allow-query { localhost; };
>
> };
>
>
>
>
>
>
>
>
>
>
>
> Once this configuration done I am expecting that whoever quarried to our
> name server for a zone which Is listed in my dns server should not allow
> users to fetch any records as recursive from outside servers, it should
> server from the internal servers only?
>
>
>
> When I test my configuration with one of the hosted domain in my list
> i.e doubleclick.net, I got all the results rather than throwing an
> error. please correct if I am wrong..
>
>
>
>
>
>
>
>
>
>
>
> Here are the logs.
>
>
>
> [root@ns20 ~]# tailf /var/log/named/rpz.log
>
> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME
> NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz
> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via
> securepubads.g.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME
> NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz
> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via
> stats.g.doubleclick.net.rpz.local
>
> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz
> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via
> stats.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz
> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via
> pagead.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz
> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via
> googleads.g.doubleclick.net.rpz.local
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: scripts-to-block-domains Daniel Stirnimann <daniel.stirnimann@switch.ch> - 2020-07-14 08:24 +0200
csiph-web