Queries related to RPZ

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Queries related to RPZ

blason16
Hi All,

I am building DNS RPZ and I am complete no-vice. I will be having around 10-20k zones which my DNS will be wallgardening.

Just wondering how this can be done with DNZ RPZ? Since the zones has to be included in named.conf.

Plus I am practising DNZ RPZ on my test server and its failing. Can someone please guide? Am I making any mistake here?

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.5.0/24;};
        response-policy { zone "google.com"; };


zone "google.com" IN {
        type master;
        file "rpz.file.db";
        };

*****************************************

[[hidden email] /var/named]# more rpz.file.db
$TTL    1D
@       IN      SOA     ns1.google.com. root.google.com. (
                                        2       ;
                                        1D      ;
                                        1H      ;
                                        1W      ;
                                        3H )    ;
@       IN      NS      ns1.google.com.
@       IN      A       3.3.3.3

google.com      IN      CNAME   @
www.google.com  IN      CNAME   @

********************************

[[hidden email] /var/named]# systemctl status named.service -l
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2018-04-17 08:50:55 IST; 31s ago
  Process: 937 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)

Apr 17 08:50:55 dnzrpz.isn.in bash[937]: _default/google.com/IN: bad zone
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost.localdomain/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service: control process exited, code=exited status=1
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Unit named.service entered failed state.
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service failed.
[[hidden email] /var/named]#


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Queries related to RPZ

blason16
Is this list spammed? I am receiving lot of SPAM mails.

On Tue, Apr 17, 2018 at 8:52 AM, Blason R <[hidden email]> wrote:
Hi All,

I am building DNS RPZ and I am complete no-vice. I will be having around 10-20k zones which my DNS will be wallgardening.

Just wondering how this can be done with DNZ RPZ? Since the zones has to be included in named.conf.

Plus I am practising DNZ RPZ on my test server and its failing. Can someone please guide? Am I making any mistake here?

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.5.0/24;};
        response-policy { zone "google.com"; };


zone "google.com" IN {
        type master;
        file "rpz.file.db";
        };

*****************************************

[[hidden email] /var/named]# more rpz.file.db
$TTL    1D
@       IN      SOA     ns1.google.com. root.google.com. (
                                        2       ;
                                        1D      ;
                                        1H      ;
                                        1W      ;
                                        3H )    ;
@       IN      NS      ns1.google.com.
@       IN      A       3.3.3.3

google.com      IN      CNAME   @
www.google.com  IN      CNAME   @

********************************

[[hidden email] /var/named]# systemctl status named.service -l
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2018-04-17 08:50:55 IST; 31s ago
  Process: 937 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)

Apr 17 08:50:55 dnzrpz.isn.in bash[937]: _default/google.com/IN: bad zone
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost.localdomain/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service: control process exited, code=exited status=1
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Unit named.service entered failed state.
Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service failed.
[[hidden email] /var/named]#



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Queries related to RPZ

blason16
In reply to this post by blason16
OK - I resolved the issue now the query I had was how to use tens or
thousands of zones with DNS RPZ? Will it not increase named.conf file
size?Can someone please suggest other way?



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Queries related to RPZ

Tony Finch
In reply to this post by blason16
Blason R <[hidden email]> wrote:
>
> I am building DNS RPZ and I am complete no-vice. I will be having around
> 10-20k zones which my DNS will be wallgardening.
>
> Just wondering how this can be done with DNZ RPZ? Since the zones has to be
> included in named.conf.

It sounds to me like you are getting muddled up between the old pre-RPZ
way of blocking domains, and the way to do it with RPZ.

The old way was to configure a local authoritative zone which would catch
queries for a domain that you wanted to block - if you wanted tens of
thousands of blocks you needed tens of thousands of local zones. Not much
fun.

The RPZ way only requires one zone, and each blocked domain is an entry in
that zone. A zone with tens of thousands of records is easy.

So, for example, my named.conf includes:

# ...
        response-policy {
                zone "test.rpz.dotat.at";
        }
                break-dnssec yes
                max-policy-ttl 5m
                qname-wait-recurse no
        ;
# ...
zone test.rpz.dotat.at {
        type master;
        file "zone/test.rpz.dotat.at";
        masterfile-format raw;
        update-policy local;
};
# ...

And in the zone file:

$ORIGIN test.rpz.dotat.at.
$TTL 3600
@ IN SOA  grey.dotat.at. dot.dotat.at. (
                                69 3600 3600 604800 3600 )
                        NS      grey.dotat.at.
badguy.com CNAME .
*.badguy.com CNAME .
pills.biz CNAME .
*.pills.biz CNAME .
; more blocked domains...

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
partnership and community in all areas of life
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Queries related to RPZ

Philippe Maechler
In reply to this post by blason16

Hello blason

 

I'm not an RPZ expert, but we have a running RPZ configuration

 

From named.conf

 

zone "rpz.zone" {

        type    master;

        file    "/etc/namedb/master/rpz.zone.db";

        allow-query     { localhost; };

        allow-transfer  { 192.168.3.0/24; };

};

 

And inside the rpz.zone.db we have:

$TTL 3600

@       IN SOA rpz.zone. rpz.zone. (

       2017100903;

       3600;

       300;

       86400;

       60 )

       IN      NS      localhost.

 

; Malware Domains, NXDOMAIN as a reply

;crayumm.com                    IN      CNAME   .

;*.crayumm.com                  IN      CNAME   .

 

; phising sites

baddomain.com CNAME .

malwaredomain.com CNAME .

uglydomain.com CNAME .

otherbaddomain.com CNAME .

 

; and so on

 

This way you don’t increase the size of the named.conf. You only have one RPZ zone and an entry for all “bad” domains inside it

 

I recommend to enable the logging for the RPZ category in named.conf

logging {

 channel rpz_log {

    file "/var/named/var/log/rpz.log" versions 3 size 20m;

    print-time yes;

    print-category yes;

  };

  category rpz  { rpz_log; syslog_server; };

    ….

};

 

HTH

 

Philippe

 

-----Original Message-----

From: bind-users [mailto:[hidden email]] On Behalf Of blason16

Sent: Tuesday, April 17, 2018 11:49 AM

To: [hidden email]

Subject: Re: Queries related to RPZ

 

OK - I resolved the issue now the query I had was how to use tens or

thousands of zones with DNS RPZ? Will it not increase named.conf file

size?Can someone please suggest other way?

 

 

 

--

Sent from: http://bind-users-forum.2342410.n4.nabble.com/

_______________________________________________

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

 

bind-users mailing list

mailto:[hidden email]

https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Queries related to RPZ

blason16
In reply to this post by Tony Finch
Correct and thats what my confusion is. 
So,  file "zone/test.rpz.dotat.at  will hold all my wall-gardened zones? And I just need keep adding my domain list in that?





On Tue, Apr 17, 2018 at 5:16 PM, Tony Finch <[hidden email]> wrote:
Blason R <[hidden email]> wrote:
>
> I am building DNS RPZ and I am complete no-vice. I will be having around
> 10-20k zones which my DNS will be wallgardening.
>
> Just wondering how this can be done with DNZ RPZ? Since the zones has to be
> included in named.conf.

It sounds to me like you are getting muddled up between the old pre-RPZ
way of blocking domains, and the way to do it with RPZ.

The old way was to configure a local authoritative zone which would catch
queries for a domain that you wanted to block - if you wanted tens of
thousands of blocks you needed tens of thousands of local zones. Not much
fun.

The RPZ way only requires one zone, and each blocked domain is an entry in
that zone. A zone with tens of thousands of records is easy.

So, for example, my named.conf includes:

# ...
        response-policy {
                zone "test.rpz.dotat.at";
        }
                break-dnssec yes
                max-policy-ttl 5m
                qname-wait-recurse no
        ;
# ...
zone test.rpz.dotat.at {
        type master;
        file "zone/test.rpz.dotat.at";
        masterfile-format raw;
        update-policy local;
};
# ...

And in the zone file:

$ORIGIN test.rpz.dotat.at.
$TTL 3600
@                       IN SOA  grey.dotat.at. dot.dotat.at. (
                                69 3600 3600 604800 3600 )
                        NS      grey.dotat.at.
badguy.com              CNAME   .
*.badguy.com            CNAME   .
pills.biz               CNAME   .
*.pills.biz             CNAME   .
; more blocked domains...

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
partnership and community in all areas of life


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Queries related to RPZ

blason16
In reply to this post by Philippe Maechler
And would please share your Options para for response-zone  rpz.zone.db



On Tue, Apr 17, 2018 at 5:43 PM, Philippe Maechler <[hidden email]> wrote:

Hello blason

 

I'm not an RPZ expert, but we have a running RPZ configuration

 

From named.conf

 

zone "rpz.zone" {

        type    master;

        file    "/etc/namedb/master/rpz.zone.db";

        allow-query     { localhost; };

        allow-transfer  { 192.168.3.0/24; };

};

 

And inside the rpz.zone.db we have:

$TTL 3600

@       IN SOA rpz.zone. rpz.zone. (

       2017100903;

       3600;

       300;

       86400;

       60 )

       IN      NS      localhost.

 

; Malware Domains, NXDOMAIN as a reply

;crayumm.com                    IN      CNAME   .

;*.crayumm.com                  IN      CNAME   .

 

; phising sites

baddomain.com CNAME .

malwaredomain.com CNAME .

uglydomain.com CNAME .

otherbaddomain.com CNAME .

 

; and so on

 

This way you don’t increase the size of the named.conf. You only have one RPZ zone and an entry for all “bad” domains inside it

 

I recommend to enable the logging for the RPZ category in named.conf

logging {

 channel rpz_log {

    file "/var/named/var/log/rpz.log" versions 3 size 20m;

    print-time yes;

    print-category yes;

  };

  category rpz  { rpz_log; syslog_server; };

    ….

};

 

HTH

 

Philippe

 

-----Original Message-----

From: bind-users [mailto:[hidden email]] On Behalf Of blason16

Sent: Tuesday, April 17, 2018 11:49 AM

To: [hidden email]

Subject: Re: Queries related to RPZ

 

OK - I resolved the issue now the query I had was how to use tens or

thousands of zones with DNS RPZ? Will it not increase named.conf file

size?Can someone please suggest other way?

 

 

 

--

Sent from: http://bind-users-forum.2342410.n4.nabble.com/

_______________________________________________

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

 

bind-users mailing list

mailto:[hidden email]

https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users