Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15977
| Path | csiph.com!3.eu.feeder.erje.net!feeder.erje.net!usenet.goja.nl.eu.org!nntp.terraraq.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Daniel Stirnimann <daniel.stirnimann@switch.ch> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: scripts-to-block-domains |
| Date | Tue, 14 Jul 2020 08:24:46 +0200 |
| Lines | 105 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.705.1594707873.942.bind-users@lists.isc.org> (permalink) |
| References | <117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa> <7f14c6fc-804e-bca2-96f0-eb4c71d088e1@tnetconsulting.net> <134f01d659a5$3cbf3c50$b63db4f0$@cyberia.net.sa> <5035726e-9134-8a55-ec0d-66987b9b4057@switch.ch> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="windows-1252" |
| Content-Transfer-Encoding | 8bit |
| X-Trace | usenet.stanford.edu 1594707909 23982 149.20.1.60 (14 Jul 2020 06:25:09 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | MEjaz <mejaz@cyberia.net.sa>, <bind-users@lists.isc.org> |
| Return-Path | <daniel.stirnimann@switch.ch> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| X-Virus-Scanned | by SpamTitan at switch.ch |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; s=selector1; t=1594707899; bh=tqKXzRGBYmAT2wsG0eKIeTbp65wuP7vzCdi9SYE9iBM=; h=Subject:To:References:From:Date:In-Reply-To; b=Wj58bMbmbFqPK8htLfAEkOXDjFS7yz9lGbZEXXtR+Uq+b5Dp+duzvMcm6lEmP5zN+ Nc02hI+f3benZuFKwTFEQ7Q41gA2KN18k/6Jm3U/xa5uNUHE4eeyb3fX5aw2JSpcKW qRcTHADtmqOp9f4Yex/IM0iVjuJBaIkM2E0/6myveKWv2iVjgvF/HMWfDn4CmfiTQ8 55I3A72e5YNEn6Hw6HE5Bof92P5LMtp1Vae4EWjahONlYbNFXqYpU2iQ9dcVcVHGbd ETMqwFtnNKwnJXYoqCPJ2tHt/0Oe7FhtHrI119Fsm0mu4t54ZiGv0vD3u4Pyq8slpw kXnTQlK5Ma2gw== |
| Authentication-Results | mx1.switch.ch; x-trusted-ip=pass |
| Autocrypt | addr=daniel.stirnimann@switch.ch; keydata= mQINBFVNyCoBEADJDVcf9JYFy2yd72s3B8GMNcfHrke7eoX6IZjL47g3/tFAWTy9HJwt6dBH OkW9/wb7W8BorMIWwE/+kBKahUSmhEc4aSEksjensTSG6WTGAbUvxFM9KhwkxjJpQLqOPyk6 6mEYXgNMZiXRo02kysbV+uRZHxZ7AzGNZ7bVNJ01Nwu9ShRFANqmHrpE7Uf9vzb4aG+6lIZu 1Y++X7tWzGZTf0IVboNyisHODq442J2UcEwEj//gayRjn3WiCT/CKt/aD203eet9RIEm/uTl 0JxWndNyp5C4LVFii/AWy127aBFbnirUxJzOBHfQoGodWPu1dmzizgWXF/C36QtNyJQzDhyC ts9PzGFMv8mq2js902m7VwtMGTap6drux6+z/kEpnlXdyUR9BYwvalPE0huNkcH+r5gWT46l 6fzKCJ7VIAdn1GBZS3dYRoZQ1QMMugi68yHnqIdWy3s0gJ4IFkjuThK+Rx88pwSyjxKOKLOB 3yuG1uWb0o2HN+5TTU/I+Wvg3EvfzscF/Gazj1DuyTjiCZghA2lnU2Feob8oDHE/krmu7xSl Kp+uTDCefKzNtPi6R0BN2OVCUBnjoWkyFZroFd80RlFZTswlKaIrS8h6AoTeDpmmhpDfrpjY 1lWZbPxaRP5NMZ/W9JXru8G3fgEuLcrIVx4xtyc/7hqm+eVLhwARAQABtC9EYW5pZWwgU3Rp cm5pbWFubiA8ZGFuaWVsLnN0aXJuaW1hbm5Ac3dpdGNoLmNoPokCNwQTAQgAIQUCVU3IKgIb AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDYNlcskS2oyB6gEACm0s2onItKmp7Y76pt M1RedVPM21wIhc5YtmaOJQxz+YLaROXijbaijn2veW9/XsJ+3qKjJvgzmeU4NswHuRHS7kuA tDXlcTqkZqZYeJWAQvvWCw7CNlGaufzXz6u9/hs9ITEQKOVY+3apX0bZmbcZqldK0mERA9m2 ZwsT1Z3NZIHuoUsfjv6PqOf2xfLBjOk+5pwsQNPXlM3KlIRHr69xHqfpm38343focf4mPETb 7WLjYPmDsQIZRdnO24+uGTxu0FDWe8SQNKUDB4i4zyVNB4R/tJM81TRVVC6RDiYM1lqMybSO +0p8cO/LAeurSCyyNpZJXJnq3lQGCzPc1OqbqnvSedQRXQUfav3p6H5q7s2g7KqiW/rAWT0E NjRJxSCzg82TOld3RfXw7ELVztNuYNnlYAlGl5/b3J4nUHhfU11h3iCmNZNgAcSkjuNeftLt BfHqlqpnmzIrQhF6g3qCN+yaaVLXvyRuK080BMa+C8jIp1LuLhcKlXNBO3vt/eQDOyDzubCx 6mrRBJOYW7+/souL1hbqppsWYYwQPJe4CW7B58SFwwyWoPQoq2O7H70vfD+9wD4biQQ7mmwY tQkVGVAlUHiTt8/Vl4/YWdIkZWZ6xdEWJv67lbJ3PAyzbwsh0hPefx/BI3efKRbUrvVc3Lb6 6Yl+jNkk9rokJCBOyrkCDQRVTcgqARAAuiGwPInrgsfjxQGxqhxFHsh4sAb5+DDNURlc1rt+ A/DMOk2EysPqZtiV2AYeLcHjSxItSIp395vgtHtljpOoCkBanWsWpYtQAER9W6JrubczZ1mN GCSkziXjT1FWuVReTG84YVt/Mi0kN7GD8Bg8B+sEdcOG717zmvUFnkHIRKbMHt/KTIqBIOsI xSRlgT/NBUAjo2yofANS0a12IJxghL0jMQfoxpu9IoZ5gZbziUXDOLj+K3kP8Lh/6cOglArd 7a4GlDBIeCtHt3/iox1r6hBPF+6g4ZI7lbEjAykEDyQIxLxl2pWc9rsrMJJx2W5pktwWX2Q9 VCtL9t5cWMHgg0pqig50N2MOiOWY6fDH9DzvcXbzUw04db1aJF4flSu0N52B9KSlBbuhcJin FM/mi8v2YJf62xwkOAkdmJlaVzLweuARaLMcO6cS50LtWF/rJfo2wbPk2ytMFRIAwFoPMf99 LhP68k9Qgsra4GBKRf6IZ4jxpgg//kOYXTsFdG96pCfoOSit8imSQJaz4Q34dGPUVf+K9LtT OAhRqf7rTceK30PiGV77ULGtraFm8SQpRXma5dxqzFzD/rA0JfpODeipgCAox+C/xj51FkSJ Wmkje8xKfuwPzRCWIeOPwPUtkTZmbZ133BJqhuQ5fJ2akELel0+NRoPjJSGcgNHYk3sAEQEA AYkCHwQYAQgACQUCVU3IKgIbDAAKCRDYNlcskS2oyHLDEACsa0icacTUohU2O12FJVf3cQVR ExLJhAQPWNLyU/ubwzK534X5VutTCeT5/gqBBuVBPTuw30mor9WmEKM4Bl5A77ezVDVonLRi QaSbzmXCSZSBozTQYlHHC3KOLEz1ZtcJLzwR6LljZb49m8JGxX70y6YxRZ1Ozzn43vIZxEp9 BBTPfiDNcCCxQb2P+O7N8etcYiflJwTPxfCtovWtNgjOAFG6QD0TdPrVyV30vZu8FylqzWWw 9SqkpRhNJBBilOAS+/J8/BUp5bmCfYUNvnUD1htaAJWuWW6WYfRdc7DkpQ73odYIJQwMeVpY t3sZuXrea+V/DUNEZDydD+/KLyN3gjr/gGe3S9xZT9nB47S/qZnOTV1F9w0h3Ut2PWN1uCjr zH8Cnji5SQgCdVKE7ytuZsmnh0k23vg9U2D46VC84/c4CXc/vWLzQCtq8HIy4lXEy1p/47dN rPDJ8G5ChtbHab0n+QDiezbZa79ACQ3TkGmH4Fo35anZCmFwqINJLve7SRzY+CCawpyTaJBz 2J/3ktd1SwxQekMS0z2MCwWv0Xy0dunATNZEks+8GdVrpN6nqzWP73o3dv9K0SWoDSfTYkj4 eel7GJ3XKKpxu08PBigd64gTgPUIqG+ZRPnBQzfuY3f2DURL/J4SlpmUfGBVVeU8+SNFVh/a U00Ijfx0yw== |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
| In-Reply-To | <134f01d659a5$3cbf3c50$b63db4f0$@cyberia.net.sa> |
| Content-Language | de-CH |
| X-ClientProxiedBy | SWH-S06-EXC4.swd.switch.ch (172.16.60.18) To SWH-S04-EXC2.swd.switch.ch (172.16.60.12) |
| X-Spam-Status | No, score=1.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,KAM_MXURI,KAM_SHORT,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Level | * |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <5035726e-9134-8a55-ec0d-66987b9b4057@switch.ch> |
| X-Mailman-Original-References | <117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa> <7f14c6fc-804e-bca2-96f0-eb4c71d088e1@tnetconsulting.net> <134f01d659a5$3cbf3c50$b63db4f0$@cyberia.net.sa> |
| Xref | csiph.com comp.protocols.dns.bind:15977 |
Show key headers only | View raw
Hello Mohammed,
I don't see that you specified a "response-policy" [1] statement. You
need something like this as well:
response-policy {
zone "rpz.local" policy given;
}
// Apply RPZ policy to DNSSEC signed zones
break-dnssec yes
;
[1]
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-policy-zone-rpz-rewriting
Daniel
On 14.07.20 08:08, MEjaz wrote:
> Hello all,
>
>
>
> Thanks for every one’s contribution. I use RPZ and listed 5000 forged
> domain to block it in a particular zone without having addiotnal
> zones, I hope that’s the feature of RPZ, Seems good.
>
>
>
> Below is snippet for your review for the zone and file db.rpz.local
> which was copied from the default named.empty.
>
>
>
> zone "rpz.local" {
>
> type master;
>
> file "db.rpz.local";
>
> allow-query { localhost; };
>
> };
>
>
>
>
>
>
>
>
>
>
>
> Once this configuration done I am expecting that whoever quarried to our
> name server for a zone which Is listed in my dns server should not allow
> users to fetch any records as recursive from outside servers, it should
> server from the internal servers only?
>
>
>
> When I test my configuration with one of the hosted domain in my list
> i.e doubleclick.net, I got all the results rather than throwing an
> error. please correct if I am wrong..
>
>
>
>
>
>
>
>
>
>
>
> Here are the logs.
>
>
>
> [root@ns20 ~]# tailf /var/log/named/rpz.log
>
> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME
> NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz
> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via
> securepubads.g.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME
> NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz
> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via
> stats.g.doubleclick.net.rpz.local
>
> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz
> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via
> stats.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz
> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via
> pagead.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz
> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via
> googleads.g.doubleclick.net.rpz.local
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: scripts-to-block-domains Daniel Stirnimann <daniel.stirnimann@switch.ch> - 2020-07-14 08:24 +0200
csiph-web