Block some users with Bind9

Michael Hoskins (michoski) michoski at cisco.com
Fri Jul 27 07:22:33 UTC 2012 

-----Original Message-----

From: Emiliano Vazquez <emilianovazquez at gmail.com>
Organization: PcCentro Informatica & CCTV
Date: Thursday, July 26, 2012 7:28 PM
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: Block some users with Bind9

>I was reading about rpz zones but i understand what i need to do.
>I follow instructions but i did not get the result explained in the link
>
>For example:
>
>I create rpz.db
>##########################################################
>$TTL 60
>     @            IN    SOA  localhost. root.localhost.  (
>                           2   ; serial
>                           3H  ; refresh
>                           1H  ; retry
>                           1W  ; expiry
>                           1H) ; minimum
>                   IN    NS    localhost.
>
>     www.yahoo.com       CNAME    .
>     weather.yahoo.com   CNAME    *.
>     stocks.yahoo.com    CNAME    www.google.com.
>     ad.yahoo.com        A    127.0.0.1
>##########################################################
>
>then, i create in named.conf the rpz zone:
>##########################################################
>  zone "rpz" {
>       type master;
>       file "rpz.db";
>       allow-query { none; };
>       allow-transfer { ... ; };
>     };
>##########################################################
>
>The next step is add in named.conf.options the response-policy
>##########################################################
>response-policy { zone "rpz"; };
>##########################################################
>
>Restart bind9 with success! (after several errors).
>
>the i try in one client to get this working and nothing happens.
>I did not find any way to see the resolution in the server to see what
>is wrong (like asterisk, squid, shorewall).
>I'm reading about bind but it is a lot of information and all is too
>much technical to me. I lost any time i read about this!

To start you might want to run tcpdump on the BIND server and make sure
you see packets from your test client coming in as expected.  Something
like tcpdump -i <whatever> -vvv -X host <client_ip> and dst port 53 should
do.

For the sake of testing you could also enable query-logging.  Logging and
other options are best described in the ARM, though you can also see a
good overview of logging configuration here as well:

http://www.cymru.com/Documents/secure-bind-template.html

More information about the bind-users mailing list