noting, first: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html second, as to the particulars: babu dheen <[email protected]> writes: > We are new to BIND and would like to implement RPZ in BIND. I have a > following queries with respect to RPZ in BIND. > > 1. Do you have basic example/steps to configure RPZ in Bind? ( I need > couple of examples like /etc/named.conf file and zone files for rpz in my recursive server's named.conf file, in the options{} block, i have: response-policy { zone "dns-policy.vix.com"; zone "rpz.surbl.org"; zone "rpz.spamhaus.org"; zone "block.c2.rpz.umbradata.com"; zone "hh.c2.rpz.umbradata.com"; zone "active.nx.rpz.iidrpz.net"; zone "dga.nx.rpz.iidrpz.net"; }; all but the first of these is a "slave" zone that i subscribe to. the first one is my local policy, and that zone looks like: $TTL 30 @ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30 NS localhost. ; eric ziegast suggestions 11.156.21.46.32.rpz-ip CNAME *. 96.177.58.207.32.rpz-ip CNAME *. ; pedro bueno suggestions 14.53.199.94.32.rpz-ip CNAME *. ; android market scammer softthrifty.com CNAME . *.softthrifty.com CNAME . ; spam houses *.verticalresponse.com CNAME . ; imports $INCLUDE "drop/drop.inc" $INCLUDE "drop/bogons.inc" the two $INCLUDE files are generated by a perl script using data imported from Team Cymru and Spamhaus. that method is described at in blog post at: http://www.circleid.com/posts/using_domain_filtering_to_effect_ip_address_filtering/ drop.inc begins as follows: 24.0.140.196.109.rpz-ip CNAME . *.140.196.109.in-addr.arpa CNAME . 22.0.212.94.109.rpz-ip CNAME . *.212.94.109.in-addr.arpa CNAME . *.213.94.109.in-addr.arpa CNAME . *.214.94.109.in-addr.arpa CNAME . *.215.94.109.in-addr.arpa CNAME . bogons.inc begins as follows: 8.0.0.0.0.rpz-ip CNAME . *.0.in-addr.arpa CNAME . 10.0.0.64.5.rpz-ip CNAME . *.64.5.in-addr.arpa CNAME . *.65.5.in-addr.arpa CNAME . *.66.5.in-addr.arpa CNAME . *.67.5.in-addr.arpa CNAME . *.68.5.in-addr.arpa CNAME . *.69.5.in-addr.arpa CNAME . a copy of the perl script that generates these is online at: http://nsa.vix.com/~vixie/lasso2rpz.pl > 2. If I use RPZ, recursive DNS will contact remote RBL database for > every DNS query? no. all RPZ control plane information is held locally in the recursive server. per the specification at: https://deepthought.isc.org/article/AA-00512/0 we see this text: A DNS Response Policy Zone (RPZ) is a DNS zone, and as such its contents can be transferred between servers (DNS AXFR/IXFR), protected by transaction signatures (DNS TSIG), and expedited by real time change notifications (DNS NOTIFY), all subject to familiar DNS access controls. An RPZ usually does not support query access since it is never required for correct operation. Rather it is the zone transfer of RPZ content from producers to subscribers which effectively publishes the policy data, and it is the transferee's server configuration which promotes RPZ payload data into DNS control plane data. > 3. Is it possible to download DNS RBLs locally on the DNS server > automatically daily and then allow RPZ query locally to give malware > domain lookup response? yes. that is one of the intended uses of DNS RPZ. > If you can help on this, it will be very much helpful to understand > and implement RPZ in our enterprise. while this discussion is on-topic for [email protected] ("here"), there is also a mailing list specific to DNS RPZ. to subscribe, visit: https://lists.isc.org/mailman/listinfo/dnsrpz-interest noting, again: there is documentation online for DNS RPZ, see the following: https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html thank you for your interest in DNS RPZ. -- Paul Vixie KI6YSY _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
