0

I have set up a DNS forwarding server on Ubuntu 20.04 LTS using Bind 9. I need to implement DNS whitelisting, however, I have not found any tutorials which explain how to set it up. I have tried looking at information about Response Policy Zones (RPZs) but they seem to be used only for blacklisting. I have also tried looking at "DNS and BIND 5th ed." but have not found any chapter describing whitelisting.

Please can somebody give me a link to a tutorial explaining me how to implement whitelisting or explain me below how it could be set up (and/or post a link containing a repo with the files/settings to put in my DNS server)? Thank you in advance.

P.S. Even though, I'd preffer to how how to implement this on BIND, I'm open to other DNS software implementations if there are well documented tutorials about how to set up a DNS forwarder and whitelisting.

jefazo92
  • 3
  • 3
  • Check this https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjd_-WA7Pr4AhUc_rsIHRe_DLUQFnoECAUQAQ&url=https%3A%2F%2Fwww.isc.org%2Fdocs%2FBIND_RPZ.pdf&usg=AOvVaw3Q3BJvQZ_STa-6sIfphoI6 – Blockchain Office Jul 15 '22 at 12:03
  • You might need to start by explaining what you exactly have in mind when saying "I need to implement DNS whitelisting". what is this exactly for you? And where does that requirement comes from? (to make sure it is not a X/Y problem) – Patrick Mevzek Jul 15 '22 at 13:08
  • What I have in mind is to implement Alexa's 1 million in my DNS forwarder so that only the domain names from those sites are resolved and everything else is blocked. This is for me. – jefazo92 Jul 15 '22 at 14:28

1 Answers1

0

It should be possible to do this using RPZ, as RPZ has both a way to block based on qname (including wildcards) and a means for punching holes in block entries.
The behavior that complicates what you want a bit is the specifics of how wildcard entries work, in that these only match non-existent names.

For instance if you want to specifically allow only foo.example.com the entries would be something like:

* IN CNAME . ; block names in the root that have no entry in rpz
*.com IN CNAME . ; block names in com that have no entry in rpz
*.example.com IN CNAME . ; block names in example.com that have no entry in rpz
foo.example.com IN CNAME rpz-passthru. ; allow foo.example.com

Ie, with RPZ you would need to not only list the allowed names, but also have block entries for wildcards under each step leading up to those allowed names.

It would certainly be possible to transform a list of specific names you want to allow into such an RPZ zone, and this RPZ zone should work in BIND or any other RPZ-capable resolver implementation.

There are certainly non-RPZ solutions as well, but I do not believe BIND specifically has other actually viable options.
One other option that comes to mind would for instance a rule based on an CDB or LMDB database lookup in dnsdist (DNS reverse proxy).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90