scripts-to-block-domains
MEjaz
mejaz at cyberia.net.sa
Tue Jul 14 06:31:53 UTC 2020
Thanks for your quick response,
I did that here is the statement in option section.
-----Original Message-----
From: Daniel Stirnimann [mailto:daniel.stirnimann at switch.ch]
Sent: Tuesday, July 14, 2020 9:25 AM
To: MEjaz <mejaz at cyberia.net.sa>; bind-users at lists.isc.org
Subject: Re: scripts-to-block-domains
Hello Mohammed,
I don't see that you specified a "response-policy" [1] statement. You need
something like this as well:
response-policy {
zone "rpz.local" policy given;
}
// Apply RPZ policy to DNSSEC signed zones break-dnssec yes ;
[1]
<https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response
-policy-zone-rpz-rewriting>
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-
policy-zone-rpz-rewriting
Daniel
On 14.07.20 08:08, MEjaz wrote:
> Hello all,
>
>
>
> Thanks for every one's contribution. I use RPZ and listed 5000
> forged domain to block it in a particular zone without having
> addiotnal zones, I hope that's the feature of RPZ, Seems good.
>
>
>
> Below is snippet for your review for the zone and file db.rpz.local
> which was copied from the default named.empty.
>
>
>
> zone "rpz.local" {
>
> type master;
>
> file "db.rpz.local";
>
> allow-query { localhost; };
>
> };
>
>
>
>
>
>
>
>
>
>
>
> Once this configuration done I am expecting that whoever quarried to
> our name server for a zone which Is listed in my dns server should not
> allow users to fetch any records as recursive from outside servers, it
> should server from the internal servers only?
>
>
>
> When I test my configuration with one of the hosted domain in my list
> i.e doubleclick.net, I got all the results rather than throwing an
> error. please correct if I am wrong..
>
>
>
>
>
>
>
>
>
>
>
> Here are the logs.
>
>
>
> [root at ns20 ~]# tailf /var/log/named/rpz.log
>
> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz
> QNAME NXDOMAIN rewrite test.doubleclick.net via
> test.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz
> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via
> securepubads.g.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz
> QNAME NXDOMAIN rewrite mail.doubleclick.net via
> mail.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz
> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via
> stats.g.doubleclick.net.rpz.local
>
> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz
> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via
> stats.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz
> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via
> pagead.l.doubleclick.net.rpz.local
>
> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz
> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via
> googleads.g.doubleclick.net.rpz.local
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200714/f1b9f2c7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11774 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200714/f1b9f2c7/attachment-0001.png>
More information about the bind-users
mailing list