<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText>Hello all, <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thanks for every one’s contribution. I use RPZ and listed 5000 forged domain to block it in a particular zone without having addiotnal zones, I hope that’s the feature of RPZ, Seems good. <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Below is snippet for your review for the zone and file db.rpz.local which was copied from the default named.empty. <o:p></o:p></p><div style='mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'><p class=MsoPlainText style='border:none;padding:0in'><o:p> </o:p></p></div><p class=MsoPlainText>zone "rpz.local" {<o:p></o:p></p><p class=MsoPlainText> type master;<o:p></o:p></p><p class=MsoPlainText> file "db.rpz.local";<o:p></o:p></p><p class=MsoPlainText> allow-query { localhost; };<o:p></o:p></p><p class=MsoPlainText>};<o:p></o:p></p><div style='mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'><p class=MsoPlainText style='border:none;padding:0in'><o:p> </o:p></p></div><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><img width=615 height=391 id="Picture_x0020_3" src="cid:image002.png@01D659BD.20532820"><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Once this configuration done I am expecting that whoever quarried to our name server for a zone which Is listed in my dns server should not allow users to fetch any records as recursive from outside servers, it should server from the internal servers only? <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>When I test my configuration with one of the hosted domain in my list i.e doubleclick.net, I got all the results rather than throwing an error. please correct if I am wrong.. <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><img width=660 height=290 id="Picture_x0020_1" src="cid:image001.png@01D659BB.546240D0"><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Here are the logs. <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>[root@ns20 ~]# tailf /var/log/named/rpz.log<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via securepubads.g.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz QNAME NXDOMAIN rewrite stats.g.doubleclick.net via stats.g.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz QNAME NXDOMAIN rewrite stats.l.doubleclick.net via stats.l.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via pagead.l.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText>14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via googleads.g.doubleclick.net.rpz.local<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: bind-users [mailto:bind-users-bounces@lists.isc.org] On Behalf Of Grant Taylor via bind-users<br>Sent: Monday, July 13, 2020 10:45 PM<br>To: bind-users@lists.isc.org<br>Subject: Re: scripts-to-block-domains</p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On 7/13/20 12:44 AM, MEjaz wrote:<o:p></o:p></p><p class=MsoPlainText>> Hell all,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Hi,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>> I have an requirement from our national Cyber security to block <o:p></o:p></p><p class=MsoPlainText>> several thousand forged domains from our recursive servers, Is there <o:p></o:p></p><p class=MsoPlainText>> any way we can add clause in named.conf to scan such bogus domain list <o:p></o:p></p><p class=MsoPlainText>> without impacting the performance of the servers.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>$RPZ++<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>If you can't use RPZ, then you /can/ create skeleton zones to make your server authoritative for the zones in question. However, there are drawbacks to this regarding performance based on the number and size of all the additional zones.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I would strongly recommend RPZ, or the new Response Policy Service, which there are a few commercial implementations of. RPS is for DNS what milters are for mail servers.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> RPZ is a ""static list.<o:p></o:p></p><p class=MsoPlainText> RPS is an active / dynamic service.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Note: Response Policy Zones can be updated via normal dynamic DNS methods.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>--<o:p></o:p></p><p class=MsoPlainText>Grant. . . .<o:p></o:p></p><p class=MsoPlainText>unix || die<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p></div></body></html>