BIND9: Request Policy Zones (RPZs)

Question

BIND9: Request Policy Zones (RPZs)

dgoerger opened this issue 7 years ago · 3 comments

To flesh out the nxdomains, we can get an nxdomain for BIND9.10+ with Request Policy Zones, which are meant to serve local dns policy and function more or less as a dns-based firewall.

Essentially:

$ UPSTREAM_HOSTS_FILE='https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts'
$ 
$ ## paths
$ TMP='/tmp'
$ SRC="${TMP}/hostfile.src"
$ TMP_RPZ="${TMP}/rpz"
$ 
$ ## functions
$ build_for_isc_bind() {
>   # build BIND9 RPZ zone file
>   echo '$TTL 3H' | tee ${TMP_RPZ} >/dev/null 2>&1
>   echo '@                       SOA LOCALHOST. blocked (1 1h 15m 30d 2h)' | tee --append ${TMP_RPZ} >/dev/null 2>&1
>   echo '                        NS  LOCALHOST.' | tee --append ${TMP_RPZ} >/dev/null 2>&1
>   echo '' | tee --append ${TMP_RPZ} >/dev/null 2>&1
>   awk '$1 == "0.0.0.0" {print $2, "CNAME", "."}' ${SRC} | grep -vE "^[0-9].*[0-9] CNAME \.$" | tee --append ${TMP_RPZ} >/dev/null 2>&1
> }
$ 
$ curl -Lo ${SRC} ${UPSTREAM_HOSTS_FILE} 2>/dev/null
$ build_for_isc_bind
$ 
$ head ${TMP_RPZ}
$TTL 3H
@                       SOA LOCALHOST. blocked (1 1h 15m 30d 2h)
                        NS  LOCALHOST.

1493361689.rsc.cdn77.org CNAME .
30-day-change.com CNAME .
2468.go2cloud.org CNAME .
adsmws.cloudapp.net CNAME .
androidads23.adcolony.com CNAME .
annualconsumersurvey.com CNAME .
$ 
$ # already run and applied system-wide
$ host 1493361689.rsc.cdn77.org
Host 1493361689.rsc.cdn77.org not found: 3(NXDOMAIN)

Answer 1 · 2017-11-30T07:34:48.000Z

How does #7 look?

I've tested it BIND 9.11.1 using this simple named.conf config and it seems to work:

zone "rpz" {
  type master;
  file "/etc/bind/bind-nxdomain.blacklist";
  allow-query { none; };
};

options {
  forwarders {
    8.8.8.8;
    8.8.4.4;
  };
  forward only;
  response-policy { zone "rpz"; };
};

Answer 2 · 2017-11-30T12:45:59.000Z

Yep! That looks right. I've never used asterisks in an rpz to denote wildcard subdomains before, but if it works, it works! 😁

Answer 3 · 2017-12-01T04:56:35.000Z

When the other zone formats are used they block all wildcard subdomains. Adding the wildcards into the rpz will make bind work in the same way for nxdomain and 0.0.0.0 responses.

I think it might be worth making a wiki page explaining how to use the RPZ file - there is not much to be found on google regarding them.