Highest Voted 'rpz' Questions - Server Fault Stack Exchange

6

votes

1 answer

BIND, RPZ and Forwarding priorities

My objective is to block certain domains in bind WITHOUT first looking up their address (this is a small caching bind dns server). Currently my configuration will forward the request for badhost.com and get the IP address (I can see this in…

asked Apr 13 '17 at 18:46

Jon T

63
1
4

6

votes

1 answer

Set up BIND9 as DNS Firewall

With OpenDNS now needing one to be on the pro package to have filtering turned on, being on a tight budget, we are in need of free DNS filtering. After reading this link on how to block domains with bind, I collected SquidGuard blacklists and…

domain-name-system bind dns-firewall rpz

asked Aug 05 '14 at 14:07

belteshazzar

292
4
9

4

votes

1 answer

Alternative ways to get past 32 rpz zone limit in BIND? ...without running BIND a thousand times

Using BIND RPZs gives me exactly what I'm looking for to alter queries. However, my recursive DNS server is in use by hundreds of clients and I am looking for a way to allow each client some level of customization. There's possibly a couple hundred…

domain-name-system dns-zone opendns unbound rpz

asked Jul 05 '16 at 10:10

user74078

3

votes

1 answer

RPZ CNAME leaks usage of RPZ

For history reasons we have both internal (192.168.0.0/16) and public IPs on hosts on one domain (example.com). I now want to split this up so that internal hostnames are not resolved for external users. My current plan is to use bind with RPZ. my…

bind cname-record rpz

asked Nov 29 '17 at 00:25

Clemens Bergmann

305
1
3
12

2

votes

2 answers

'query_getzonedb()failed: Zone Not Loaded' error in DNS logs

While investigating an incident, I noticed an error in my syslog that looks like this (anonymized): Feb 3 21:59:59 ns1 named[18824]: client xxx.xxx.xxx.xxx#2091 (us-east1-aws.api.snapchat.com): view MyView: rpz QNAME rewrite…

domain-name-system bind rpz

asked Feb 15 '19 at 15:16

Watki02

537
2
12
21

2

votes

0 answers

BIND different forwarder based on response ip (rpz-ip)

I have a recursive BIND dns server . forwarders { 8.8.8.8; }; Is it possible to change the forwarder based on respone ip ? For example if the response is 192.168.1.1 then forward/redirect it to other forwarder ? //if response…

domain-name-system bind dns-zone rpz

asked Sep 14 '17 at 12:35

Omid Kosari

620
1
8
16

2

votes

2 answers

Can DNS RPZ firewalls protect against IP Access?

I am looking into DNS-RPZ firewalls. Can they protect against users browsing to http://{ip-address}? If so how does that work? Given no name resolution is required?

domain-name-system bind rpz dns-firewall

asked Mar 16 '14 at 16:08

Adam Mills

25
8

2

votes

1 answer

How to automatically rewrite response records obtained using recursion in BIND?

I'm using Bind 9.9.4 on a hypervisor (lets call the hypervisor A) for VMs. The hypervisor has a VPN connection to a different host (lets call it B), which also has a public IP. The bind on hypervisor A is used by the VMs and won't answer to requests…

networking domain-name-system vpn bind rpz

asked Nov 25 '13 at 15:12

Jonas Schäfer

295
1
11

1

vote

0 answers

Why does my Bind RPZ config work for one host, but not the other (SERVFAIL)

I have some hosts in a DMZ which need to use LDAP resources on the LAN. We don't forward DNS into the LAN, so instead of adding entries in individual /etc/hosts, I decided to try a Bind RPZ zone to handle DNS to keep all the workarounds in one…

linux bind dns-zone rpz

asked Oct 08 '18 at 15:13

Server Fault

3,454
7
48
88

1

vote

1 answer

serve the root zone with bind and utilize RPZ

I have some problems with configuring BIND as my private server at root zone. I have tried the dot "." (had read somewhere) and an empty string "" (my bad guess) as for the root zone identifier (which both have syntax errors) zone "." { ; sorry …

domain-name-system bind internal-dns rpz

asked Jul 27 '16 at 04:31

F.I.V

181
11

1

vote

1 answer

Certificate Errors on "redirection" in DNS RPZ of https/ssl

I've set up a DNS RPZ where I "redirect" users to a walled garden using DNS RPZ records when users try to access a list of bad sites. Let's say a user tries to access badsite.com. The redirection to my walled garden for http connections works but…

domain-name-system https redirection rpz dns-firewall

asked Mar 02 '15 at 16:52

thelok

13
3

1

vote

0 answers

Is there a way to block a specific query type on bind

I've been trying to find a way to block the WKS query type from our bind servers. We have found that is is extensively used by tunneling software. I tried using RPZ but i'm not sure on how to block a query type instead of domain. However there seems…

domain-name-system bind rpz

asked Jun 02 '21 at 08:05

Georgios Vasilakis

11
2

1

vote

0 answers

How to block AAAA answers for certain domains using RPZ?

Is it possible to block AAAA answers being sent back to clients from a local dns server, but only for certain forward dns domains? I know I can do the filtering based on ipv6 subnet (working sample below), but i would like to filter out based on…

domain-name-system bind ipv6 rpz

asked Aug 16 '20 at 16:33

vobelic

183
1
5
15

1

vote

0 answers

Why does BIND perform a double query before answering NXDOMAIN for a RPZ (response-policy zone)?

The goal is to have a local DNS server with the following specifics: split DNS setup that resolves a FQDN (e.g. localdomain.com) to a local IP instead of the external IP use a RPZ (response policy zone) to answer certain DNS lookups with a NXDOMAIN…

domain-name-system logging bind synology rpz

asked Mar 10 '20 at 22:31

thomas1985

11
2

0

votes

1 answer

Log category RPZ to syslog in BIND 9

I am running a chrooted BIND 9.11 server on FreeBSD 11.2 that has a RPZ configured. It is currently logging RPZ hits in a file, but I would like to (also) send them to syslog. I can see other log entries (not RPZ) from BIND in /var/log/messages…

logging bind syslog rpz

asked Aug 13 '19 at 22:55

scherand

183
8

Questions tagged [rpz]