Re: Can't get RPZ to work in local LAN with bind9.10.3

Sun, 01 Apr 2018 08:55:13 -0700 

On 4/1/18, Mario Aeby  wrote:
> Hello list,
>
> inspired by Brian Krebs’ article
>
> Omitting the “o” in .com Could Be Costly
> https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
>
> this weekend I set out to reconfigure BIND running in my local network to
> prevent resolving any domain with a «cm» TLD (and, based on further
> research, a few others known for phishing and spreading malware).
>
> Unfortunately, I can’t make RPZ to work at all.

I know the feeling :(
This is what I have in named.conf for RPZ:

options {
  ...
   response-policy { zone "rpz.zone"  log yes; }  break-dnssec yes
recursive-only no;
  ...
}
zone "rpz.zone" { type master; notify no; file "ZONES/rpz.zone"; };
    # Response Policy Zone (RPZ) - aka DNS Firewall
    # official docs are useless so use this
    #   http://zytrax.com/books/dns/ch7/rpz.html

& I just added this bit to ZONES/rpz.zone:

; kill the whole domain
*.cm            CNAME   .
; except for
*.cnn.cm        CNAME   rpz-passthru.

C:\Users\Lee>nslookup
> www.aol.cm.
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.aol.cm: NXDOMAIN
> www.cnn.cm.
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   www.cnn.cm
Address: 165.160.15.20
Name:   www.cnn.cm
Address: 165.160.13.20
> hulu.cm.
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find hulu.cm: NXDOMAIN
> www.hulu.cm.
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.hulu.cm: NXDOMAIN
>


altho... if you want to block the whole domain, why not just block it?
 resolv.conf gets this line

zone "cm" { type master; notify no; file "ZONES/null.zone"; };

and ZONES/null.zone looks like

; null.zone
; return NXDOMAIN for any name lookup in this zone
$TTL  1d
@       IN      SOA     localhost.  admin.home. (
                        2017010100 ; Serial
                        6h      ; Refresh
                        15      ; Retry
                        1d      ; Expire
                        1h )    ; Minimum
        IN      NS      localhost.



Regards,
Lee
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to