How to set up RPZ in Bind9 (site blocking)

In this article, I will give a simple example of setting up RPZ in Bind9.
RPZ (Response Policy Zone) allows you to block access to malicious and prohibited sites by domain name, IP address or network, block DNS servers.

Let’s open the following configuration file in a text editor:

nano /etc/bind/named.conf.options

Activate RPZ by adding the lines below to the options block:

response-policy { 
    zone "rpz.local"; 

More examples with policies:

response-policy {zone "whitelist" policy passthru; zone "rpz.local" policy disabled;};

I will describe the possible policies:
given – is the default, you can not specify, performs the actions specified in the zone file.
disabled – disables actions specified in the zone file and logs requests.
passthru – do not modify DNS server response, requests are also logged.
drop – do not respond to the client.
nxdomain – response about a non-existent domain.
nodata – no data response.
tcp-only Forces the client to make the request over TCP instead of UDP.
cname domain-name – response with a CNAME record with the specified domain to any request specified in the zone file.

Let’s open the following configuration file in a text editor:

nano /etc/bind/named.conf.local

Let’s add the RPZ zone:

zone "rpz.local" {
    type master;
    file "/etc/bind/db.rpz.local";
    allow-query { "none"; };
    allow-transfer { "none"; };
    //allow-transfer {; };

Create a zone file from an empty file template:

cp /etc/bind/db.empty /etc/bind/db.rpz.local
nano /etc/bind/db.rpz.local

It usually has the following content:

$TTL    86400
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
@       IN      NS      localhost.

Now, at the end of this file, you can add blocked domains, for example (dot means NXDOMAIN response, that is, about a non-existent domain):      CNAME  .       CNAME  .

Example with NODATA response:       CNAME   *.

You can change the IP address of the A record (for example, instead of, you can specify the IP address of the HTTP page on which to report the reason for blocking the site):       A

For convenience, you can write RPZ logs to a separate file, I will show an example of the settings:

nano /etc/bind/named.conf

logging {
       channel rpzlog {
        file "/var/lib/bind/rpz.log" versions 3 size 3m;
        print-time yes;
        print-category yes;
        print-severity yes;
        severity info;
        //severity notice;
    category rpz { rpzlog; };

sudo ln -s /var/lib/bind/ /var/log/

An example of viewing logs:

tail /var/lib/bind/rpz.log

Let’s check the correctness of the configuration, if nothing is displayed, then everything is fine:


After each file change, you need to change Serial, for example, we make +1 to the current value so that Bind knows that changes have been made, otherwise the changes will not take effect, and we will also check the zone file, for example, if there are unsupported characters, then an error and line number will be displayed :

named-checkzone rpz /etc/bind/db.rpz.local

To apply the changes, force Bind9 to reread the configuration, or simply restart it:

rndc reload
systemctl restart bind9
systemctl status bind9

Let’s check:

dig A @

You can also redirect all requests to DNS servers to Bind9 on the NAT server so that users do not bypass site blocking by specifying third-party DNS:

iptables -t nat -A PREROUTING -s -p udp --dport 53 -j DNAT --to-destination
iptables -t nat -A PREROUTING -s -p tcp --dport 53 -j DNAT --to-destination

Or you can still block port 53 for clients and allow only your own DNS.

See also my article:
Installing and Configuring DNS Server BIND9

Leave a comment

Leave a Reply