how to verify RPZ with a 'known bad' domain from 3rd party zone file?
Vernon Schryver
vjs at rhyolite.com
Mon Mar 11 20:45:00 UTC 2013
> From: pgbind9 at ml1.net
> I've bind 9.9.2p1 setup to use the RPZ zone provided by spamhaus.
> (1) How/where do you extract a bad domain name from the axfr'd RPZ zone
> file? It's not in what appears to be human-readable form.
As I wrote in answer to your message on Friday, try this command
for the DROP zone:
named-compilezone -j -f raw -F text -o- drop.rpz.spamhaus.org drop.rpz.spamhaus.org
If you are now using rpz.spamhaus.org, try
named-compilezone -j -f raw -F text -o- rpz.spamhaus.org rpz.spamhaus.org | head -4
Just now in my copy of that zone, that command suggests trying "forum.ac"
> (2) Once you have that domain, I assume (?) entering it into a browser
> should result in a browser redirect to 127.0.0.1 (?)?
If you use the "CNAME ." policy published by Spamhaus, then your browser
will get NXDOMAIN. You will get 127.0.0.1 only if you override Spamhaus'
policy with a clause similar to this in your response-policy{} statement
zone "rpz.spamhaus.org" policy cname bad-rpz.ml1.net;
and define
bad-rpz.ml1.net. A 127.0.0.1
Before messing with a browser, I'd try `dig forum.ac`
> In which DNS/bind
> log category do I look for evidence of that RPZ-redirection? In the
> query log?
If you read the friendly manual text though the link labeled
"Draft text for BIND9 Administrators Reference Manual (ARM) describing"
http://www.redbarn.org/dns/ratelimits as I suggested last week,
then you should find the "rate-limit" category and the querylog option.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list