mail us  |  mail this page

contact us
training  | 
tech stuff  | 

BIND 9 Support

BIND9 - Configuring a DNS firewall with RPZ

Response Policy Zone (RPZ) is a BIND9.10+ feature (the basic capability was released with BIND9.8) that allows a recursive server (resolver) to perform a user defined action based on the definition of one or more zone files. The RPZ feature is invoked by referencing these RPZ zone files within a response-policy statement in the options clause.

  1. RPZ Zone Blocker Functions
  2. RPZ Zone Blocker named.conf
  3. RPZ Zone File
  4. Exclude Users from RPZ Actions

RPZ Zone Blocker Functions

This howto illustrates the use of RPZ to implement a simple zone blocker (also frequently refered to as a DNS firewall) in a recursive server (Resolver) providing the following functionality:

  1. The resolver operator defines the domain names that they wish to block users from accessing in an RPZ zone file. The reasons for wanting to do this may be anything from eliminating access to non-essential sites in a work environment, blocking sites of a distateful nature where young people may be involved, preventing access to sites known to infect PCs with viruses or any other reason. Using the domain name method involves only one of five possible RPZ ways this could be done.

  2. When a user attempts to access a domain name that is blocked by the RPZ feature the request may be diverted to a web site (perhaps explaining what happened), or the request may simply be dropped (leading to a timeout that will manifest itself either as Network error page or the dreaded 'Page cannot be displayed' in the user's browser). Both types are illustrated in this configuration. These are only two of 6 possible RPZ actions.

  3. The RPZ configuration is flat - it does not differentiate in any way between users. All users who access the public Internet via any resolver running this RPZ file will be blocked from those sites defined in the RPZ file. RPZ does make it possible to allow defined uers to bypass the blocking feature and a small sample is included to illustrate how this would be done.

This domain name blocker (aka DNS firewall) uses a trivial subset of the full power of the RPZ feature to keep configuration simple and to minimize the danger of inadvertant collateral damage - very easy to do with RPZ. The full capability (defining every RPZ Policy Trigger and every Policy Action) with copious examples is described in nauseating detail on this page. Readers who wish to control access to the, sadly, increasing number of sites whose entire motivation seems to be related to infecting unsuspecting viewers are well advised to take the time to fully understand RPZ since it offers a rich and subtle feature set which can yield results with substantial scope by intercepting further up the query chain.

RPZ named.conf

The RPZ feature is invoked by referencing one or more RPZ zones within a response-policy statement in the global options clause (or within a view clause). Each RPZ zone must also be defined using a normal zone clause. Throughout the user's zone is assumed to the classic, but boring, example.com.

RPZ is only possible in a recursive server (Resolver) the named.conf fragment required to invoke RPZ is shown below. Many other permutations exist, this is one of the simplest:

// example.com named.conf fragments relevant to RPZ
// stream the log to separate rpz info
logging{
  channel normal-log{
    // alternatively use default_syslog above to log 
    // everything apart from RPZ info to syslog and omit
    // the file statement below
    file "/var/named/named.log" versions 3 size 1m;
    severity info;
  };
  channel named-rpz {
     // change path as appropriate
     file "/var/named/rpz.log" versions 3 size 250k;
     severity info;
  };
  category rpz{
    named-rpz;
  };
  // everything else
  category default{
    normal-log;
  };
};
options {
  ...
  // this must be a recursive server
  recursion on; // the default but good practice
  // CLOSE the server - change IPs as appropriate
  // or use allow-recursion (localnets; localhost;};
  allow-recursion (192.168.2/24;};
  // invoke RPZ
  response-policy {zone "perfume.example.com";};
  ...
  allow-transfer {none;};
  allow-update {none};
};
// RPZ zone definition
zone "perfume.example.com"{
  type master;
  file "master/perfume.example.com";
};
// standard recursive zone files
// hints, localhost forward and reverse maps
// reverse map for 192.168.2/24 

Notes:

  1. Doman name: The RPZ zone name can break all the normal rules due to its limited visibility, however, the sample has chosen to use a fairly innocuous name for the reasons discussed on this page. It could equally, and correctly, have been called "roguesgallery". If you elect to use a name within your domain space then ensure that the name does not appear in your normal (example.com in this case) zone file to avoid any, internal or external, attempts to access it.

  2. response-policy: The statement shown invokes a fully functional RPZ zone whose actions are determined by the contents of the RPZ zone file. During the testing phase the following statement will perform all the RPZ actions, log them to the RPZ channel, then return the real result to the user:

    response-policy {zone "perfume.example.com" policy disabled;};
    

RPZ Zone File

The following commented zone file shows diversion of the various blocked domain names (using the QNAME policy trigger - many other triggers can be used) to one or more alternative sites (assumed to be webpages but they could be anything) or simply dropping any response thus causing a user timeout after 5 seconds or longer). Many other outcomes (Policy Actions) are possible.

; zone file perfume.example.com
$TTL 2h ; default TTL
$ORIGIN perfume.example.com.
; email address is never used
@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h
; name server is never accessed but out-of-zone
         NS  nonexistant.nodomain.none.

; divert single domain name www.example.net to 
; special web page at explain.example.com
; explain.example.com must have A/AAAA RR
; in the example.com zone file
www.example.net CNAME explain.example.com.

; divert whole example.net domain name to 
; special web page at explain.example.com
; explain.example.com must have A/AAAA RR
; in the example.com zone file
example.net CNAME explain.example.com.
*.example.net CNAME explain.example.com.

; divert just subdomains of example.net domain name to 
; special web page at explain.example.com
; allows MX record to be read and web sites of form http://example.net
; but blocks, for instance, www.example.net or ftp.example.com
; explain.example.com must have A/AAAA RR
; in the example.com zone file
*.example.net CNAME explain.example.com.

; divert different domains to different locations
; special web pages at explain and noway.example.com
; both noway and explain.example.com must have A/AAAA RRs
; in the example.com zone file
example.net CNAME explain.example.com.
*.example.net CNAME explain.example.com.
example.org CNAME noway.example.com.
*.example.org CNAME noway.example.com.

; no response (timeout) a single domain name 
; www.example.net
www.example.net CNAME rpz-drop.

; no response (timeout) to whole example.net domain name
example.net CNAME rpz-drop.
*.example.net CNAME rpz-drop.

; no response (timeout) to subdomains of example.net domain name
; allows MX record to be read and web sites of form http://example.net
; but drops, for instance, www.example.net or ftp.example.com
*.example.net CNAME rpz-drop.

Notes:

  1. All left-hand (owner-name) names must NOT end with a dot.

  2. Add as many names as required. Order is not important since they are sorted into canonical order when the zone is loaded.

  3. RPZ zones may well be very large > 1 million RRs. To speed up zone loading BIND9.10 includes a new map option with named-compilezone and the masterfile-format statement.

Excluding Users from RPZ Actions

The following shows a method by which certain users (assuming known and fixed IP addresses) may be excluded from all RPZ actions:

// named.conf
options {
  ...
  // define a second zone file - order is important in
  // response-policy statement
  response-policy {zone "exclude.example.com"; zone "perfume.example.com";};
  ...
};
// add new RPZ zone clause
zone "exclude.example.com"{
  type master;
  file "master/exclude.example.com";
  ...
};
// zone file for perfume.example.com
// zone files for hints, localhost (forward and reverse map)
// reverse map for local IPs

; zone file exclude.example.com
$TTL 2h ; default TTL
$ORIGIN exclude.example.com.
@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h
; name server is never accessed but out-of-zone
         NS  nonexistant.nodomain.none.

; this exludes a single 
; IP address 192.168.2.5
; address can be written as 192.168.2.5/32
32.5.2.168.192.rpz-client-ip CNAME rpz-passthru.

; this defines a block of 8 IPs 
; containing 192.168.2.7
; address can be written as 
; 192.167.2.5/29
29.5.2.168.192.rpz-client-ip CNAME rpz-passthru.

Notes:

  1. If you need an IPv4 calculator.

  2. All left-hand (owner-name) names must NOT end with a dot.

  3. RPZ searches trigger conditions from the zones in the order in which they are defined in the response-policy statement.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2024 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
hosted by javapipe.com
web-master at zytrax
Page modified: January 20 2022.