×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Bind9 with RPZ and local forwarding zones?

Bind9 with RPZ and local forwarding zones?

Bind9 with RPZ and local forwarding zones?

(OP)
I had a working Bind9 configuration with views that allowed my internal network to query my work AD Domain which would be trapped and forwarded to their DNS Servers.

zone "company.tld" IN {
type forward;
forward only;
forwarders {
10.5.161.1;
10.6.161.1;
};
};

But I wanted to add RPZ to my set up so that I can filter bad actors using DNS. I subscribed to a RPZ feed and zone transfer, and set up the response policy:
response-policy {
zone "oisd-full.ioc2rpz" policy nxdomain;
}
And wow, that was easy, tested a bunch of popular bad actor DNS queries and they got no answer. Nice. however the company.tld internal AD Domain is unfortunately in the rpz list so I am no longer getting my forward zone definition to work.

I have not found a way to have BIND9 use that locally defined zone first, before RPZ.. or, have RPZ be aware a whitelist that allows it to use the local definitions so that the queries are properly forwarded.

RE: Bind9 with RPZ and local forwarding zones?

(OP)
In my debugging (turning on lot's of logs) I saw that my private forwarding was actually working but my new RPZ DNS config that came with a new updated BIND9 enabled DNSSEC and my company internal DNS servers did NOT have a trust chain before, so it failed trust now.

So my failure was NOT RPZ related, but a DNS Trust issue. I disabled DNS SEC in the global options for now as I was not using it prior, until I can lean how it all works and enable it deliberately.

Nick

RE: Bind9 with RPZ and local forwarding zones?

Very great info. This type of info is also saw in apkvow.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close