scripts-to-block-domains

MEjaz mejaz at cyberia.net.sa
Tue Jul 14 06:31:53 UTC 2020


Thanks for your quick response, 

 

I did that here is the statement in  option section. 

 



 

 

 

-----Original Message-----
From: Daniel Stirnimann [mailto:daniel.stirnimann at switch.ch] 
Sent: Tuesday, July 14, 2020 9:25 AM
To: MEjaz <mejaz at cyberia.net.sa>; bind-users at lists.isc.org
Subject: Re: scripts-to-block-domains

 

Hello Mohammed,

 

I don't see that you specified a "response-policy" [1] statement. You need
something like this as well:

 

response-policy {

    zone "rpz.local" policy given;

}

// Apply RPZ policy to DNSSEC signed zones break-dnssec yes ;

 

[1]

 
<https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response
-policy-zone-rpz-rewriting>
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-
policy-zone-rpz-rewriting

 

Daniel

 

On 14.07.20 08:08, MEjaz wrote:

> Hello all,

> 

>  

> 

> Thanks for every one's  contribution.  I use RPZ and listed 5000  

> forged domain to block it in  a particular zone  without having 

> addiotnal zones, I hope that's the feature of  RPZ, Seems good.

> 

>  

> 

> Below is snippet for your review  for the zone and file  db.rpz.local 

> which was copied from the default named.empty.

> 

>  

> 

> zone "rpz.local" {

> 

>     type master;

> 

>     file "db.rpz.local";

> 

>     allow-query { localhost; };

> 

> };

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Once this configuration done I am expecting that whoever quarried to 

> our name server for a zone which Is listed in my dns server should not 

> allow users to fetch any records as recursive from outside servers, it 

> should server from the internal servers only?

> 

>  

> 

> When I test my configuration with one of the hosted domain in my list 

> i.e doubleclick.net, I got all the results rather than throwing an 

> error. please correct if I am wrong..

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Here are the logs.

> 

>  

> 

> [root at ns20 ~]# tailf /var/log/named/rpz.log

> 

> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz 

> QNAME NXDOMAIN rewrite test.doubleclick.net via 

> test.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz 

> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via 

> securepubads.g.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz 

> QNAME NXDOMAIN rewrite mail.doubleclick.net via 

> mail.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz 

> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via 

> stats.g.doubleclick.net.rpz.local

> 

> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz 

> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via 

> stats.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz 

> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via 

> pagead.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz 

> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via 

> googleads.g.doubleclick.net.rpz.local

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200714/f1b9f2c7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11774 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200714/f1b9f2c7/attachment-0001.png>


More information about the bind-users mailing list