Thanks for your quick response,
I did that here is the statement in option section. -----Original Message----- From: Daniel Stirnimann [mailto:daniel.stirnim...@switch.ch] Sent: Tuesday, July 14, 2020 9:25 AM To: MEjaz <me...@cyberia.net.sa>; bind-users@lists.isc.org Subject: Re: scripts-to-block-domains Hello Mohammed, I don't see that you specified a "response-policy" [1] statement. You need something like this as well: response-policy { zone "rpz.local" policy given; } // Apply RPZ policy to DNSSEC signed zones break-dnssec yes ; [1] <https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response -policy-zone-rpz-rewriting> https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response- policy-zone-rpz-rewriting Daniel On 14.07.20 08:08, MEjaz wrote: > Hello all, > > > > Thanks for every one's contribution. I use RPZ and listed 5000 > forged domain to block it in a particular zone without having > addiotnal zones, I hope that's the feature of RPZ, Seems good. > > > > Below is snippet for your review for the zone and file db.rpz.local > which was copied from the default named.empty. > > > > zone "rpz.local" { > > type master; > > file "db.rpz.local"; > > allow-query { localhost; }; > > }; > > > > > > > > > > > > Once this configuration done I am expecting that whoever quarried to > our name server for a zone which Is listed in my dns server should not > allow users to fetch any records as recursive from outside servers, it > should server from the internal servers only? > > > > When I test my configuration with one of the hosted domain in my list > i.e doubleclick.net, I got all the results rather than throwing an > error. please correct if I am wrong.. > > > > > > > > > > > > Here are the logs. > > > > [root@ns20 ~]# tailf /var/log/named/rpz.log > > 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz > QNAME NXDOMAIN rewrite test.doubleclick.net via > test.doubleclick.net.rpz.local > > 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz > QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via > securepubads.g.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz > QNAME NXDOMAIN rewrite mail.doubleclick.net via > mail.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz > QNAME NXDOMAIN rewrite stats.g.doubleclick.net via > stats.g.doubleclick.net.rpz.local > > c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz > QNAME NXDOMAIN rewrite stats.l.doubleclick.net via > stats.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz > QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via > pagead.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz > QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via > googleads.g.doubleclick.net.rpz.local
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
