Skip to content

Instantly share code, notes, and snippets.

@jatrost

jatrost/Bind9-with-RPZs.md

Last active May 14, 2018 10:52
Show Gist options
  • Save jatrost/37742011f00caedf982a to your computer and use it in GitHub Desktop.
Save jatrost/37742011f00caedf982a to your computer and use it in GitHub Desktop.
Download ZIP
This is a mini tutorial on getting bind9 on Ubuntu 12.04 working with Response Policy Zones (RPZ). See this for more info: http://www.zytrax.com/books/dns/ch9/rpz.html.
Raw
Bind9-with-RPZs.md

Bind9 with RPZs

This is a mini tutorial on getting bind9 on Ubuntu 12.04 working with Response Policy Zones (RPZ). See this for more info: http://www.zytrax.com/books/dns/ch9/rpz.html.

Install bind and make sure it is working

$ sudo apt-get install bind9
$ sudo /etc/init.d/bind9 status
 * bind9 is running
$ dig www.google.com @127.0.0.1

; <<>> DiG 9.8.1-P1 <<>> www.google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29910
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     300 IN  A   74.125.239.113
www.google.com.     300 IN  A   74.125.239.114
www.google.com.     300 IN  A   74.125.239.115
www.google.com.     300 IN  A   74.125.239.116
www.google.com.     300 IN  A   74.125.239.112

;; AUTHORITY SECTION:
google.com.     172799  IN  NS  ns1.google.com.
google.com.     172799  IN  NS  ns3.google.com.
google.com.     172799  IN  NS  ns4.google.com.
google.com.     172799  IN  NS  ns2.google.com.

;; Query time: 1126 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 22 01:43:13 2014
;; MSG SIZE  rcvd: 184

Configure bind

Create these files:

  • /etc/bind/db.rpz.zone
  • /etc/bind/rpz.zone

/etc/bind/db.rpz.zone

$TTL 1H
@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
                        NS  LOCALHOST.

; QNAME policy records.  There are no periods (.) after the owner names.
nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
nodata.domain.com       CNAME   *.              ; NODATA policy
bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
                        AAAA    2001:2::1

; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com           CNAME   rpz-passthru.

bzone.domain.com        CNAME   garden.example.com.

; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
*.bzone.domain.com      CNAME   *.garden.example.com.


; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
8.0.0.0.127.rpz-ip      CNAME   .
32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
    
    ; these are Google's IPs
32.112.239.125.74.rpz-ip    CNAME .
32.113.239.125.74.rpz-ip    CNAME .
32.114.239.125.74.rpz-ip    CNAME .
32.115.239.125.74.rpz-ip    CNAME .
32.116.239.125.74.rpz-ip    CNAME .

; NSDNAME and NSIP policy records
ns.domain.com.rpz-nsdname   CNAME   .
48.zz.2.2001.rpz-nsip       CNAME   .

/etc/bind/rpz.zone

zone "rpz.zone" {
        type master;
        file "/etc/bind/db.rpz.zone";
        allow-query {none;};
};

Modify these files:

  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local

/etc/bind/named.conf.options

Add response-policy { zone "rpz.zone"; }; inside the options block at the bottom.

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        response-policy { zone "rpz.zone"; };
};

/etc/bind/named.conf.local

Add this line include "/etc/bind/rpz.zone"; to the end.

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

include "/etc/bind/rpz.zone";

Restart Bind

sudo /etc/init.d/bind9 restart

Test it

Google's IPs have been configured using rpz-ip so this should NXDOMAIN (depending if google resolves to 74.125.239.*)

$ dig www.google.com @127.0.0.1

; <<>> DiG 9.8.1-P1 <<>> www.google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57538
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; AUTHORITY SECTION:
rpz.zone.		3600	IN	SOA	LOCALHOST. named-mgr.example.com.rpz.zone. 1 3600 900 2592000 7200

;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 22 01:32:36 2014
;; MSG SIZE  rcvd: 107

*.bzone.domain.com should NXDOMAIN and return a CNAME redirecting to *.garden.example.com.

$ dig @127.0.0.1 abc.bzone.domain.com

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 abc.bzone.domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48011
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.bzone.domain.com.		IN	A

;; ANSWER SECTION:
abc.bzone.domain.com.	3600	IN	CNAME	*.garden.example.com.

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2014051867 7200 3600 1209600 3600

;; Query time: 1911 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 22 01:33:15 2014
;; MSG SIZE  rcvd: 126

bad.domain.com should NOERROR but resolve to an internal IP (10.0.0.1)

$ dig @127.0.0.1 bad.domain.com 

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 bad.domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14317
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;bad.domain.com.			IN	A

;; ANSWER SECTION:
bad.domain.com.		3600	IN	A	10.0.0.1

;; AUTHORITY SECTION:
rpz.zone.		3600	IN	NS	LOCALHOST.

;; ADDITIONAL SECTION:
LOCALHOST.		604800	IN	A	127.0.0.1
LOCALHOST.		604800	IN	AAAA	::1

;; Query time: 194 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 22 01:33:58 2014
;; MSG SIZE  rcvd: 123
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment