Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bind9 with RPZ and local forwarding zones?

Status
Not open for further replies.

Nick Ellson

Technical User
Jan 3, 2022
2
US
I had a working Bind9 configuration with views that allowed my internal network to query my work AD Domain which would be trapped and forwarded to their DNS Servers.

zone "company.tld" IN {
type forward;
forward only;
forwarders {
10.5.161.1;
10.6.161.1;
};
};

But I wanted to add RPZ to my set up so that I can filter bad actors using DNS. I subscribed to a RPZ feed and zone transfer, and set up the response policy:
response-policy {
zone "oisd-full.ioc2rpz" policy nxdomain;
}
And wow, that was easy, tested a bunch of popular bad actor DNS queries and they got no answer. Nice. however the company.tld internal AD Domain is unfortunately in the rpz list so I am no longer getting my forward zone definition to work.

I have not found a way to have BIND9 use that locally defined zone first, before RPZ.. or, have RPZ be aware a whitelist that allows it to use the local definitions so that the queries are properly forwarded.

 
In my debugging (turning on lot's of logs) I saw that my private forwarding was actually working but my new RPZ DNS config that came with a new updated BIND9 enabled DNSSEC and my company internal DNS servers did NOT have a trust chain before, so it failed trust now.

So my failure was NOT RPZ related, but a DNS Trust issue. I disabled DNS SEC in the global options for now as I was not using it prior, until I can lean how it all works and enable it deliberately.

Nick
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top