RPZ and DNS traffic on the server

Alex K rightkicktech at gmail.com
Tue Feb 12 13:50:29 UTC 2019

Hi all,

I have a RPZ setup to whitelist several domains.
The issue I am facing is that, even though domains are blocked, the cashing
DNS server still proceeds to resolve the domain. The bahavior that I was
hoping to see is the server to not bother resolving the domain if the RPZ
policy replies with NXDOMAIN (domain does not exist).

The bind I am running is 9.10.3.
I have the following configuration:

options {
        directory "/var/cache/bind";
        allow-recursion { localhost; auth; };
        allow-query { localhost; };
        allow-transfer { "none"; };
        querylog yes;

        forwarders {;;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

view "lan" {
        match-clients { lan; };
        allow-query-cache { localhost; lan; };
        include "/etc/bind/named.conf.local";
        include "/etc/bind/named.conf.default-zones";


"lan" and "auth" are defined ACLs.

The RPZ policies and zones are loaded from /etc/bind/named.conf.local, as

response-policy { zone "rpz-whitelist-lan"; zone "rpz-blackhole"; };
zone "rpz-whitelist-lan" {
        type master;
        file "/var/cache/bind/rpz-whitelist-lan.db";
        allow-query { none; };
        allow-transfer { none; };

zone "rpz-blackhole" {
        type master;
        file "/var/cache/bind/rpz-blackhole.db";
        allow-query { none; };
        allow-transfer { none; };

The content of the rpz-whitelist-lan zone are:

$TTL    1
@       IN      SOA     localhost. root.localhost. (
                  2019021107         ; Serial
                      3H         ; Refresh
                      1H         ; Retry
                      1W         ; Expire
                      60 )       ; Negative Cache TTL

        IN    NS localhost.

; whitelist
google.com                   IN      CNAME   rpz-passthru.
eset.com                 IN      CNAME   rpz-passthru.

while the content of the rpz-blackhole is:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                     2019021107    ; serial
                     3H        ; refresh
                     1H        ; retry
                     1W        ; expiry
                     1H)    ; minimum

             IN      NS    localhost.

*                    CNAME .

The configuration is ok, and the whitelisting is functioning as expected,
but I see that the DNS server still generates DNS traffic when querying
domains that are not listed in the whitelist, while the client correctly
received "domain does not exist".

Is this expected behaviour? Is there any way to make the server avoid
proceeding with the resolution, when the initial client requests is

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190212/e65a3b07/attachment.html>

More information about the bind-users mailing list