Hello list, inspired by Brian Krebs’ article
Omitting the “o” in .com Could Be Costly https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/ this weekend I set out to reconfigure BIND running in my local network to prevent resolving any domain with a «cm» TLD (and, based on further research, a few others known for phishing and spreading malware). Unfortunately, I can’t make RPZ to work at all. System: Linux HOSTNAME 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux /etc/debian_version: 9.4 BIND dpkg --list | grep -i bind9 ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u4 amd64 Internet Domain Name Server To further debug the problem and not accidentally kill DNS resolving in the household, I set up BIND on a second server (similar OS configuration as stated above, but with a bare minimum BIND configuration to exclude conflicts with advanced configuration options) in the same LAN. Symptoms (on both servers) * All queries are logged in /var/log/named/queries.log * The RPZ log at /var/log/named/rpz.log stays empty no matter what queries I place which should be caught by RPZ * When using «allow-query { any; };» in the RPZ zone definition I can successfully query BIND for predefined domains (e.g. youtube.com.rpz) and it returns the intended result (ie. the sinkhole address in the local network) * When querying youtube.com, BIND resolves it to the public and correct address (since I have not configured any forwarders in BIND itself, I assume it uses the production DNS at 10.12.34.12 defined in /etc/resolv.conf (?)) Some log excerpts, if of any use: default.log 01-Apr-2018 14:39:39.154 general: info: managed-keys-zone: loaded serial 0 01-Apr-2018 14:39:39.163 general: info: zone rpz/IN: loaded serial 2018040103 01-Apr-2018 14:39:39.163 general: notice: all zones loaded 01-Apr-2018 14:39:39.163 general: notice: running 01-Apr-2018 14:39:49.130 general: info: received control channel command 'flush' 01-Apr-2018 14:39:49.130 general: info: flushing caches in all views succeeded 01-Apr-2018 15:01:46.451 general: info: received control channel command 'dumpdb -all' 01-Apr-2018 15:01:46.451 general: info: dumpdb started: -all 01-Apr-2018 15:01:46.673 general: info: dumpdb complete queries.log 01-Apr-2018 14:31:17.436 queries: info: client 10.12.34.102#59664 (youtube.com): query: youtube.com IN A +E (10.12.34.11) 01-Apr-2018 14:37:38.574 queries: info: client 10.12.34.102#54125 (youtube.com): query: youtube.com IN A +E (10.12.34.11) 01-Apr-2018 14:37:47.381 queries: info: client 10.12.34.102#57566 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11) 01-Apr-2018 14:39:53.181 queries: info: client 10.12.34.102#58174 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11) 01-Apr-2018 14:39:58.196 queries: info: client 10.12.34.102#61735 (youtube.com): query: youtube.com IN A +E (10.12.34.11) 01-Apr-2018 14:50:02.495 queries: info: client 10.12.34.102#57401 (youtube.com): query: youtube.com IN A +E (10.12.34.11) 01-Apr-2018 14:50:32.661 queries: info: client 10.12.34.102#62122 (youtube.com.rpz): query: youtube.com.rpz IN A +E (10.12.34.11) rndc -c /etc/rndc.conf dumpdb -all cat /named_dump.db ... ; Zone dump of 'rpz/IN' ; rpz. 60 IN SOA localhost. root.localhost. 2018040103 60 60 60 60 rpz. 60 IN NS localhost. rpz. 60 IN A 10.12.34.11 google.com.rpz. 60 IN A 10.12.34.12 youtube.com.rpz. 60 IN CNAME . ... This is the following (minimal) configuration on my test server: named.conf logging { channel default { file "/var/log/named/default.log"; //severity debug 3; severity info; print-time yes; print-severity yes; print-category yes; }; category default { default; }; channel queries { file "/var/log/named/queries.log"; //severity debug 3; severity info; print-time yes; print-severity yes; print-category yes; }; category queries { queries; }; channel rpz-queries { file "/var/log/named/rpz.log"; severity debug 3; //severity info; print-time yes; print-severity yes; print-category yes; }; category rpz { rpz-queries; }; }; key "rndc-key" { algorithm hmac-md5; secret «S1KR1T"; }; controls { inet * port 953 allow { 127.0.0.1; 10.12.34.11; } keys { "rndc-key"; }; }; zone "rpz" { type master; file "/etc/bind/zones/rpz.dns"; //allow-query { none; }; allow-query { any; }; }; named.conf.local EMPTY named.conf.options options { response-policy { zone "rpz"; }; }; zones/rpz.dns $TTL 60 @ IN SOA localhost. root.localhost. ( 2018040103 ; Serial number 60 ; Refresh 60 ; Retry 60 ; Expire 60 ) ; Minimum TTL @ IN NS localhost. @ IN A 10.12.34.11 youtube.com CNAME . google.com A 10.12.34.12 Resolving examples $ dig youtube.com @10.12.34.11 ; <<>> DiG 9.10.6 <<>> youtube.com @10.12.34.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29841 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;youtube.com. IN A ;; ANSWER SECTION: youtube.com. 300 IN A 172.217.19.174 ;; AUTHORITY SECTION: youtube.com. 172196 IN NS ns1.google.com. youtube.com. 172196 IN NS ns2.google.com. youtube.com. 172196 IN NS ns3.google.com. youtube.com. 172196 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 172196 IN A 216.239.32.10 ns1.google.com. 172196 IN AAAA 2001:4860:4802:32::a ns2.google.com. 172196 IN A 216.239.34.10 ns2.google.com. 172196 IN AAAA 2001:4860:4802:34::a ns3.google.com. 172196 IN A 216.239.36.10 ns3.google.com. 172196 IN AAAA 2001:4860:4802:36::a ns4.google.com. 172196 IN A 216.239.38.10 ns4.google.com. 172196 IN AAAA 2001:4860:4802:38::a ;; Query time: 18 msec ;; SERVER: 10.12.34.11#53(10.12.34.11) ;; WHEN: Sun Apr 01 14:50:02 CEST 2018 ;; MSG SIZE rcvd: 311 $ dig youtube.com.rpz @10.12.34.11 ; <<>> DiG 9.10.6 <<>> youtube.com.rpz @10.12.34.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38286 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;youtube.com.rpz. IN A ;; ANSWER SECTION: youtube.com.rpz. 60 IN CNAME . ;; AUTHORITY SECTION: . 10161 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018033101 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 10.12.34.11#53(10.12.34.11) ;; WHEN: Sun Apr 01 14:50:32 CEST 2018 ;; MSG SIZE rcvd: 132 Thank you for your support Best regards, Mario _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
