[External] Re: Request assistance configuring RPZ

Jon xmatt.is at gmail.com
Wed May 29 21:15:27 UTC 2019


Hi Grant,

I don't usually wade in on these but I also believe RPZ would be the
simplest way to achieve this.

You're close I think. Using Carl's information and what you've done there,
add the following.

In order to keep the same zone working with 10. Addressing for all other
(not in bubble) clients, create CNAME records in your master internal.local
zone for these two records you want to have a 192. Address for.  On the
same master, create a new zone where you will have the A record your CNAME
will resolve to, a 10. Address.  This will take care of all clients not in
the bubble.

On zurg, with your RPZ, have that configured for the same domain as the new
domain you've created on the master.

This should mean that, all queries are forwarded to your other boxes,
except anything for that domain in the RPZ. The initial query for Andy or
sid will be forwarded to the forwarding servers but will return a CNAME for
the zurg recursor. Zurg should then go to resolve the cname but check its
RPZ first, responding with the 192.x addressing you've got in the RPZ for
each of the two hosts.

It's not tidy, I'll give you that but, this is an interesting scenario for
more than just this DNS, you're bridging 2 networks with multiple
multi-homed machines. This is not recommended from a security perspective
and should use a gateway/FW to perform this work, routing between the
networks.

All the best.
Jon


On Thu, 30 May 2019, 02:14 Carl Byington via bind-users, <
bind-users at lists.isc.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Wed, 2019-05-29 at 09:05 -0400, David Bank wrote:
> > Re-reading the ARM, it seemed to me that I needed to add a
>
> After adding the zone and the response-policy statement to named.conf, I
> presume you did:
>
>     rndc reconfig
>
> To test that you can:
>
>     dig rpz.internal.local axfr @zurg
>
> That should dump the rpz zone, and verify that zurg is serving it. The
> response-policy should be in the global options.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlzuk4QACgkQL6j7milTFsEtgQCaA2gk7mvDO9jWYlAGTm+soYty
> aEcAn1L7goSEfLdCIBIChF8wklA4MRFA
> =q+pb
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190530/2d5d82a2/attachment.html>


More information about the bind-users mailing list