how to verify RPZ with a 'known bad' domain from 3rd party zone file?

Vernon Schryver vjs at
Mon Mar 11 20:45:00 UTC 2013

> From: pgbind9 at

> I've bind 9.9.2p1 setup to use the RPZ zone provided by spamhaus.  

> (1) How/where do you extract a bad domain name from the axfr'd RPZ zone
> file?  It's not in what appears to be human-readable form.

As I wrote in answer to your message on Friday, try this command
for the DROP zone:

    named-compilezone -j -f raw -F text -o-

If you are now using, try 

    named-compilezone -j -f raw -F text -o- | head -4

Just now in my copy of that zone, that command suggests trying ""

> (2) Once you have that domain, I assume (?) entering it into a browser
> should result in a browser redirect to (?)?  

If you use the "CNAME ." policy published by Spamhaus, then your browser
will get NXDOMAIN.  You will get only if you override Spamhaus'
policy with a clause similar to this in your response-policy{} statement
    zone "" policy cname;
and define    A

Before messing with a browser, I'd try `dig`

>                                                        In which DNS/bind
> log category do I look for evidence of that RPZ-redirection?  In the
> query log?

If you read the friendly manual text though the link labeled
"Draft text for BIND9 Administrators Reference Manual (ARM) describing" as I suggested last week,
then you should find the "rate-limit" category and the querylog option.

Vernon Schryver    vjs at

More information about the bind-users mailing list