In this article, I will give a simple example of setting up RPZ in Bind9.
RPZ (Response Policy Zone) allows you to block access to malicious and prohibited sites by domain name, IP address or network, block DNS servers.
Let’s open the following configuration file in a text editor:
nano /etc/bind/named.conf.options
Activate RPZ by adding the lines below to the options block:
response-policy {
zone "rpz.local";
};
More examples with policies:
response-policy {zone "whitelist" policy passthru; zone "rpz.local" policy disabled;};
I will describe the possible policies:
given – is the default, you can not specify, performs the actions specified in the zone file.
disabled – disables actions specified in the zone file and logs requests.
passthru – do not modify DNS server response, requests are also logged.
drop – do not respond to the client.
nxdomain – response about a non-existent domain.
nodata – no data response.
tcp-only Forces the client to make the request over TCP instead of UDP.
cname domain-name – response with a CNAME record with the specified domain to any request specified in the zone file.
Let’s open the following configuration file in a text editor:
nano /etc/bind/named.conf.local
Let’s add the RPZ zone:
zone "rpz.local" {
type master;
file "/etc/bind/db.rpz.local";
allow-query { "none"; };
allow-transfer { "none"; };
//allow-transfer { 1.2.3.4; };
};
Create a zone file from an empty file template:
cp /etc/bind/db.empty /etc/bind/db.rpz.local
nano /etc/bind/db.rpz.local
It usually has the following content:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
Now, at the end of this file, you can add blocked domains, for example (dot means NXDOMAIN response, that is, about a non-existent domain):
vk.com CNAME .
ok.ru CNAME .
Example with NODATA response:
example.com CNAME *.
You can change the IP address of the A record (for example, instead of 127.0.0.1, you can specify the IP address of the HTTP page on which to report the reason for blocking the site):
example2.com A 127.0.0.1
For convenience, you can write RPZ logs to a separate file, I will show an example of the settings:
nano /etc/bind/named.conf
logging {
channel rpzlog {
file "/var/lib/bind/rpz.log" versions 3 size 3m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
//severity notice;
};
category rpz { rpzlog; };
};
sudo ln -s /var/lib/bind/ /var/log/
An example of viewing logs:
tail /var/lib/bind/rpz.log
Let’s check the correctness of the configuration, if nothing is displayed, then everything is fine:
named-checkconf
After each file change, you need to change Serial, for example, we make +1 to the current value so that Bind knows that changes have been made, otherwise the changes will not take effect, and we will also check the zone file, for example, if there are unsupported characters, then an error and line number will be displayed :
named-checkzone rpz /etc/bind/db.rpz.local
To apply the changes, force Bind9 to reread the configuration, or simply restart it:
rndc reload
systemctl restart bind9
systemctl status bind9
Let’s check:
dig A example.com @127.0.0.1
You can also redirect all requests to DNS servers to Bind9 on the NAT server so that users do not bypass site blocking by specifying third-party DNS:
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to-destination 192.168.2.5
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to-destination 192.168.2.5
Or you can still block port 53 for clients and allow only your own DNS.
See also my article:
Installing and Configuring DNS Server BIND9