Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RPZ configuration examples
5,135 views
Skip to first unread message
babu dheen
Nov 19, 2011, 12:23:27 AM11/19/11
to bind-...@lists.isc.org
|
Issam Harrathi
Nov 19, 2011, 9:24:14 AM11/19/11
to babu dheen, bind-...@lists.isc.org
Hi,
this is an example:
http://dns.blog4ever.com/blog/lire-article-491870-2332506-rpz_et_dns__exemple_de_configuration.html
this is an example:
http://dns.blog4ever.com/blog/lire-article-491870-2332506-rpz_et_dns__exemple_de_configuration.html
2011/11/19 babu dheen <babu...@yahoo.co.in>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Spain, Dr. Jeffry A.
Nov 19, 2011, 9:31:47 AM11/19/11
to babu dheen, bind-...@lists.isc.org
> 1. Do you have basic example/steps to configure RPZ in Bind? ( I need couple of examples like /etc/named.conf file and zone files for rpz
> 2. If I use RPZ, recursive DNS will contact remote RBL database for every DNS query?
> 3. Is it possible to download DNS RBLs locally on the DNS server automatically daily and then allow RPZ query locally to give malware domain lookup response?
Here’s a technical note with some configuration examples: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt. As I understand it, when you configure a response policy zone on your recursive resolver, your resolver uses the master-slave mechanism to get a copy of the response policy zone file from your RPZ provider. It keeps that copy updated based on notify messages and incremental transfers from the RPZ provider. For each query, your resolver consults your local copy of the RPZ or your cache as part of the recursive resolution process. ISC had a webinar on RPZ. See http://www.isc.org/files/imce/DNSRPZ-2011-03-01-Webinar.pdf. In it they mentioned http://www.surbl.org/ as an RPZ data provider. I worked with RPZ several months ago and had difficulty determining how well it was working. What was lacking at the time was a test domain name or set of such names guaranteed to be in the RPZ data that would generate an NXDOMAIN response. Would you please post information about your experiences as you proceed with your RPZ project. Thanks.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
Stephane Bortzmeyer
Nov 20, 2011, 9:32:23 AM11/20/11
to Issam Harrathi, bind-...@lists.isc.org
On Sat, Nov 19, 2011 at 03:24:14PM +0100,
Issam Harrathi <issa...@gmail.com> wrote
a message of 139 lines which said:
> this is an example:
If the OP reads french, I suggest that
<http://www.bortzmeyer.org/rpz-faire-mentir-resolveur-dns.html> is
much more detailed.
If, however, he prefers english, I would point him towards
<http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/>.
Issam Harrathi <issa...@gmail.com> wrote
a message of 139 lines which said:
> this is an example:
If the OP reads french, I suggest that
<http://www.bortzmeyer.org/rpz-faire-mentir-resolveur-dns.html> is
much more detailed.
If, however, he prefers english, I would point him towards
<http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/>.
Stephane Bortzmeyer
Nov 20, 2011, 9:30:48 AM11/20/11
to babu dheen, bind-...@lists.isc.org
On Sat, Nov 19, 2011 at 10:53:27AM +0530,
babu dheen <babu...@yahoo.co.in> wrote
of RPZ is precisely that the database is never remote.
http://www.isc.org/software/rpz
> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response?
See above. That's the entire point of RPZ.
babu dheen <babu...@yahoo.co.in> wrote
a message of 105 lines which said:
> If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query?
It seems you need to read about RPZ first because one critical point
> If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query?
of RPZ is precisely that the database is never remote.
http://www.isc.org/software/rpz
> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response?
babu dheen
Nov 21, 2011, 8:57:17 AM11/21/11
to Issam Harrathi, Stephane Bortzmeyer, bind-...@lists.isc.org
Wonderful update. Really thanks for the details provided. Can you give me additional details as below
I gone through link http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ and got to know that we need to configure one common zone to redirect all malware domain lookup to walled garden IP address and also we need to configure 'response-policy' in /etc/named.conf file.
1. How frequently DNS server will download the malware domain database
2. From where DNS server downloads the malware domains .. is it from SURBL webiste?
3. How to whitelist list of official/customer domains from RPZ query so that in case customer domain is listed in RPZ , business will not be affected?
Regards
Babu
|
Jan-Piet Mens
Nov 21, 2011, 9:44:37 AM11/21/11
to bind-...@lists.isc.org
It seems as though you haven't followed some of the advice given you on
this list -- you'll have to do a bit more reading. Nevertheless:
> 1. How frequently DNS server will download the malware domain database
That depends on how frequently the RPZ provider publishes updates to the
zone. RPZ zones are normal master files: they are transferred with AXFR
and/or IXFR.
> 2. From where DNS server downloads the malware domains .. is it from SURBL webiste?
BIND slaves RPZ zones from the RPZ provider's servers. If you intend using this
one, then yes, from SURBL.
> 3. How to whitelist list of official/customer domains from RPZ query
> so that in case customer domain is listed in RPZ , business will not
> be affected?
If you followed the link in the article you mentioned [usual disclaimers
apply] you'll certainly have read that it is indeed possible to
whitelist domains in RPZ, but you'll need the as yet unrealeased BIND
9.9 code to do that.
-JP
this list -- you'll have to do a bit more reading. Nevertheless:
> 1. How frequently DNS server will download the malware domain database
zone. RPZ zones are normal master files: they are transferred with AXFR
and/or IXFR.
> 2. From where DNS server downloads the malware domains .. is it from SURBL webiste?
one, then yes, from SURBL.
> 3. How to whitelist list of official/customer domains from RPZ query
> so that in case customer domain is listed in RPZ , business will not
> be affected?
apply] you'll certainly have read that it is indeed possible to
whitelist domains in RPZ, but you'll need the as yet unrealeased BIND
9.9 code to do that.
-JP
Barry Greene
Nov 21, 2011, 9:51:46 AM11/21/11
to babu dheen, bind-...@lists.isc.org
Hello Papdheen,
ISC now has a knowledge base where more information is systematically being written and published. There is a whole section on DNSRPZ:
https://kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ/
Each article allows for comments to improve the materials. We welcome suggestions and ideas for more KB articles.
Thanks,
Barry
On Nov 18, 2011, at 9:23 PM, babu dheen wrote:
>
>
> Hi,
>
> We are new to BIND and would like to implement RPZ in BIND. I have a following queries with respect to RPZ in BIND.
>
> Please help me on this.
>
> 1. Do you have basic example/steps to configure RPZ in Bind? ( I need couple of examples like /etc/named.conf file and zone files for rpz 2. If I use RPZ, recursive DNS will contact remote RBL database for every DNS query?
ISC now has a knowledge base where more information is systematically being written and published. There is a whole section on DNSRPZ:
https://kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ/
Each article allows for comments to improve the materials. We welcome suggestions and ideas for more KB articles.
Thanks,
Barry
On Nov 18, 2011, at 9:23 PM, babu dheen wrote:
>
>
> Hi,
>
> We are new to BIND and would like to implement RPZ in BIND. I have a following queries with respect to RPZ in BIND.
>
> Please help me on this.
>
> 3. Is it possible to download DNS RBLs locally on the DNS server automatically daily and then allow RPZ query locally to give malware domain lookup response?
>
>
Paul Vixie
Nov 21, 2011, 9:53:12 AM11/21/11
to bind-...@isc.org, vi...@isc.org
noting, first: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
second, as to the particulars:
babu dheen <babu...@yahoo.co.in> writes:
> We are new to BIND and would like to implement RPZ in BIND. I have a
> following queries with respect to RPZ in BIND.
>
response-policy {
zone "dns-policy.vix.com";
zone "rpz.surbl.org";
zone "rpz.spamhaus.org";
zone "block.c2.rpz.umbradata.com";
zone "hh.c2.rpz.umbradata.com";
zone "active.nx.rpz.iidrpz.net";
zone "dga.nx.rpz.iidrpz.net";
};
all but the first of these is a "slave" zone that i subscribe to. the first
one is my local policy, and that zone looks like:
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
; eric ziegast suggestions
11.156.21.46.32.rpz-ip CNAME *.
96.177.58.207.32.rpz-ip CNAME *.
; pedro bueno suggestions
14.53.199.94.32.rpz-ip CNAME *.
; android market scammer
softthrifty.com CNAME .
*.softthrifty.com CNAME .
; spam houses
*.verticalresponse.com CNAME .
; imports
$INCLUDE "drop/drop.inc"
$INCLUDE "drop/bogons.inc"
the two $INCLUDE files are generated by a perl script using data imported
from Team Cymru and Spamhaus. that method is described at in blog post at:
http://www.circleid.com/posts/using_domain_filtering_to_effect_ip_address_filtering/
drop.inc begins as follows:
24.0.140.196.109.rpz-ip CNAME .
*.140.196.109.in-addr.arpa CNAME .
22.0.212.94.109.rpz-ip CNAME .
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
bogons.inc begins as follows:
8.0.0.0.0.rpz-ip CNAME .
*.0.in-addr.arpa CNAME .
10.0.0.64.5.rpz-ip CNAME .
*.64.5.in-addr.arpa CNAME .
*.65.5.in-addr.arpa CNAME .
*.66.5.in-addr.arpa CNAME .
*.67.5.in-addr.arpa CNAME .
*.68.5.in-addr.arpa CNAME .
*.69.5.in-addr.arpa CNAME .
a copy of the perl script that generates these is online at:
http://nsa.vix.com/~vixie/lasso2rpz.pl
> 2. If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query?
no. all RPZ control plane information is held locally in the recursive
server. per the specification at:
https://deepthought.isc.org/article/AA-00512/0
we see this text:
A DNS Response Policy Zone (RPZ) is a DNS zone, and as such its
contents can be transferred between servers (DNS AXFR/IXFR),
protected by transaction signatures (DNS TSIG), and expedited by
real time change notifications (DNS NOTIFY), all subject to
familiar DNS access controls. An RPZ usually does not support query
access since it is never required for correct operation. Rather it
is the zone transfer of RPZ content from producers to subscribers
which effectively publishes the policy data, and it is the
transferee's server configuration which promotes RPZ payload data
into DNS control plane data.
> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response?
yes. that is one of the intended uses of DNS RPZ.
> If you can help on this, it will be very much helpful to understand
> and implement RPZ in our enterprise.
while this discussion is on-topic for bind-...@isc.org ("here"), there
is also a mailing list specific to DNS RPZ. to subscribe, visit:
https://lists.isc.org/mailman/listinfo/dnsrpz-interest
noting, again: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
thank you for your interest in DNS RPZ.
--
Paul Vixie
KI6YSY
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
second, as to the particulars:
babu dheen <babu...@yahoo.co.in> writes:
> We are new to BIND and would like to implement RPZ in BIND. I have a
> following queries with respect to RPZ in BIND.
>
> 1. Do you have basic example/steps to configure RPZ in Bind? ( I need
> couple of examples like /etc/named.conf file and zone files for rpz
in my recursive server's named.conf file, in the options{} block, i have:
> couple of examples like /etc/named.conf file and zone files for rpz
response-policy {
zone "dns-policy.vix.com";
zone "rpz.surbl.org";
zone "rpz.spamhaus.org";
zone "block.c2.rpz.umbradata.com";
zone "hh.c2.rpz.umbradata.com";
zone "active.nx.rpz.iidrpz.net";
zone "dga.nx.rpz.iidrpz.net";
};
all but the first of these is a "slave" zone that i subscribe to. the first
one is my local policy, and that zone looks like:
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
; eric ziegast suggestions
11.156.21.46.32.rpz-ip CNAME *.
96.177.58.207.32.rpz-ip CNAME *.
; pedro bueno suggestions
14.53.199.94.32.rpz-ip CNAME *.
; android market scammer
softthrifty.com CNAME .
*.softthrifty.com CNAME .
; spam houses
*.verticalresponse.com CNAME .
; imports
$INCLUDE "drop/drop.inc"
$INCLUDE "drop/bogons.inc"
the two $INCLUDE files are generated by a perl script using data imported
from Team Cymru and Spamhaus. that method is described at in blog post at:
http://www.circleid.com/posts/using_domain_filtering_to_effect_ip_address_filtering/
drop.inc begins as follows:
24.0.140.196.109.rpz-ip CNAME .
*.140.196.109.in-addr.arpa CNAME .
22.0.212.94.109.rpz-ip CNAME .
*.212.94.109.in-addr.arpa CNAME .
*.213.94.109.in-addr.arpa CNAME .
*.214.94.109.in-addr.arpa CNAME .
*.215.94.109.in-addr.arpa CNAME .
bogons.inc begins as follows:
8.0.0.0.0.rpz-ip CNAME .
*.0.in-addr.arpa CNAME .
10.0.0.64.5.rpz-ip CNAME .
*.64.5.in-addr.arpa CNAME .
*.65.5.in-addr.arpa CNAME .
*.66.5.in-addr.arpa CNAME .
*.67.5.in-addr.arpa CNAME .
*.68.5.in-addr.arpa CNAME .
*.69.5.in-addr.arpa CNAME .
a copy of the perl script that generates these is online at:
http://nsa.vix.com/~vixie/lasso2rpz.pl
> 2. If I use RPZ, recursive DNS will contact remote RBL database for
> every DNS query?
server. per the specification at:
https://deepthought.isc.org/article/AA-00512/0
we see this text:
A DNS Response Policy Zone (RPZ) is a DNS zone, and as such its
contents can be transferred between servers (DNS AXFR/IXFR),
protected by transaction signatures (DNS TSIG), and expedited by
real time change notifications (DNS NOTIFY), all subject to
familiar DNS access controls. An RPZ usually does not support query
access since it is never required for correct operation. Rather it
is the zone transfer of RPZ content from producers to subscribers
which effectively publishes the policy data, and it is the
transferee's server configuration which promotes RPZ payload data
into DNS control plane data.
> 3. Is it possible to download DNS RBLs locally on the DNS server
> automatically daily and then allow RPZ query locally to give malware
> domain lookup response?
> If you can help on this, it will be very much helpful to understand
> and implement RPZ in our enterprise.
is also a mailing list specific to DNS RPZ. to subscribe, visit:
https://lists.isc.org/mailman/listinfo/dnsrpz-interest
noting, again: there is documentation online for DNS RPZ, see the following:
https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html
thank you for your interest in DNS RPZ.
--
Paul Vixie
KI6YSY
0 new messages