sanity check: localhost rpz

Lee ler762 at
Fri Apr 20 13:26:13 UTC 2018

With a few exceptions, I'd like to block external answers for

Is the following really how it's supposed to be done?  I can see
having to whitelist the names, but having to whitelist
zones I'm authoritative for seems a bit weird.

options {
   response-policy { zone ""  log yes; } break-dnssec yes
recursive-only no;
zone "localhost" in { type master; allow-update{none;}; file
"ZONES/master.localhost"; };
zone "" in { type master; allow-update{none;}; file "ZONES/"; };
; return NXDOMAIN for any answers
;   exceptions:       CNAME   rpz-passthru.       CNAME   rpz-passthru.
localhost               CNAME   rpz-passthru.      CNAME   rpz-passthru.     CNAME   .
;   check:
;     localhost 
;       should alternate between (allowed) and (NXDOMAIN)
;       ref:


More information about the bind-users mailing list