sanity check: localhost rpz

Lee ler762 at gmail.com
Fri Apr 20 13:26:13 UTC 2018 

With a few exceptions, I'd like to block external answers for 127.0.0.0/8

Is the following really how it's supposed to be done?  I can see
having to whitelist the net-snmp.org names, but having to whitelist
zones I'm authoritative for seems a bit weird.

named.conf:
options {
   ...
   response-policy { zone "rpz.zone"  log yes; } break-dnssec yes
recursive-only no;
};
zone "localhost" in { type master; allow-update{none;}; file
"ZONES/master.localhost"; };
zone "home.net" in { type master; allow-update{none;}; file "ZONES/home.net"; };


rpz.zone:
   ...
; return NXDOMAIN for any 127.0.0.0/8 answers
;   exceptions:
onea.net-snmp.org       CNAME   rpz-passthru.
twoa.net-snmp.org       CNAME   rpz-passthru.
localhost               CNAME   rpz-passthru.
localhost.home.net      CNAME   rpz-passthru.
8.0.0.0.127.rpz-ip     CNAME   .
;   check:
;     localhost           127.0.0.1
;     onea.net-snmp.org   127.0.0.1
;     twoa.net-snmp.org   127.0.0.2 127.0.0.3
;     7f000001.c7f11de3.rbndr.us
;       should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
;       ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3


Thanks
Lee

More information about the bind-users mailing list