Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
sanity check: localhost rpz
0 views
Skip to first unread message
Lee
Apr 20, 2018, 9:26:20 AM4/20/18
to bind-users
With a few exceptions, I'd like to block external answers for 127.0.0.0/8
Is the following really how it's supposed to be done? I can see
having to whitelist the net-snmp.org names, but having to whitelist
zones I'm authoritative for seems a bit weird.
named.conf:
options {
...
response-policy { zone "rpz.zone" log yes; } break-dnssec yes
recursive-only no;
};
zone "localhost" in { type master; allow-update{none;}; file
"ZONES/master.localhost"; };
zone "home.net" in { type master; allow-update{none;}; file "ZONES/home.net"; };
rpz.zone:
...
; return NXDOMAIN for any 127.0.0.0/8 answers
; exceptions:
onea.net-snmp.org CNAME rpz-passthru.
twoa.net-snmp.org CNAME rpz-passthru.
localhost CNAME rpz-passthru.
localhost.home.net CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
; 7f000001.c7f11de3.rbndr.us
; should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
; ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3
Thanks
Lee
Is the following really how it's supposed to be done? I can see
having to whitelist the net-snmp.org names, but having to whitelist
zones I'm authoritative for seems a bit weird.
named.conf:
options {
...
response-policy { zone "rpz.zone" log yes; } break-dnssec yes
recursive-only no;
};
zone "localhost" in { type master; allow-update{none;}; file
"ZONES/master.localhost"; };
zone "home.net" in { type master; allow-update{none;}; file "ZONES/home.net"; };
rpz.zone:
...
; return NXDOMAIN for any 127.0.0.0/8 answers
; exceptions:
onea.net-snmp.org CNAME rpz-passthru.
twoa.net-snmp.org CNAME rpz-passthru.
localhost CNAME rpz-passthru.
localhost.home.net CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
; 7f000001.c7f11de3.rbndr.us
; should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
; ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3
Thanks
Lee
0 new messages