Thanks for your quick response, 

 

I did that here is the statement in  option section. 

 



 

 

 

-----Original Message-----
From: Daniel Stirnimann [mailto:daniel.stirnim...@switch.ch] 
Sent: Tuesday, July 14, 2020 9:25 AM
To: MEjaz <me...@cyberia.net.sa>; bind-users@lists.isc.org
Subject: Re: scripts-to-block-domains

 

Hello Mohammed,

 

I don't see that you specified a "response-policy" [1] statement. You need
something like this as well:

 

response-policy {

    zone "rpz.local" policy given;

}

// Apply RPZ policy to DNSSEC signed zones break-dnssec yes ;

 

[1]

 
<https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response
-policy-zone-rpz-rewriting>
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-
policy-zone-rpz-rewriting

 

Daniel

 

On 14.07.20 08:08, MEjaz wrote:

> Hello all,

> 

>  

> 

> Thanks for every one's  contribution.  I use RPZ and listed 5000  

> forged domain to block it in  a particular zone  without having 

> addiotnal zones, I hope that's the feature of  RPZ, Seems good.

> 

>  

> 

> Below is snippet for your review  for the zone and file  db.rpz.local 

> which was copied from the default named.empty.

> 

>  

> 

> zone "rpz.local" {

> 

>     type master;

> 

>     file "db.rpz.local";

> 

>     allow-query { localhost; };

> 

> };

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Once this configuration done I am expecting that whoever quarried to 

> our name server for a zone which Is listed in my dns server should not 

> allow users to fetch any records as recursive from outside servers, it 

> should server from the internal servers only?

> 

>  

> 

> When I test my configuration with one of the hosted domain in my list 

> i.e doubleclick.net, I got all the results rather than throwing an 

> error. please correct if I am wrong..

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Here are the logs.

> 

>  

> 

> [root@ns20 ~]# tailf /var/log/named/rpz.log

> 

> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz 

> QNAME NXDOMAIN rewrite test.doubleclick.net via 

> test.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz 

> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via 

> securepubads.g.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz 

> QNAME NXDOMAIN rewrite mail.doubleclick.net via 

> mail.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz 

> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via 

> stats.g.doubleclick.net.rpz.local

> 

> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz 

> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via 

> stats.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz 

> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via 

> pagead.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz 

> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via 

> googleads.g.doubleclick.net.rpz.local

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to