Bind9 with RPZ and local forwarding zones?

[Nick Ellson]

I had a working Bind9 configuration with views that allowed my internal network to query my work AD Domain which would be trapped and forwarded to their DNS Servers.

zone "company.tld" IN {
type forward;
forward only;
forwarders {
10.5.161.1;
10.6.161.1;
};
};

But I wanted to add RPZ to my set up so that I can filter bad actors using DNS. I subscribed to a RPZ feed and zone transfer, and set up the response policy:
response-policy {
zone "oisd-full.ioc2rpz" policy nxdomain;
}
And wow, that was easy, tested a bunch of popular bad actor DNS queries and they got no answer. Nice. however the company.tld internal AD Domain is unfortunately in the rpz list so I am no longer getting my forward zone definition to work.

I have not found a way to have BIND9 use that locally defined zone first, before RPZ.. or, have RPZ be aware a whitelist that allows it to use the local definitions so that the queries are properly forwarded.

 

[Nick Ellson]

In my debugging (turning on lot's of logs) I saw that my private forwarding was actually working but my new RPZ DNS config that came with a new updated BIND9 enabled DNSSEC and my company internal DNS servers did NOT have a trust chain before, so it failed trust now.

So my failure was NOT RPZ related, but a DNS Trust issue. I disabled DNS SEC in the global options for now as I was not using it prior, until I can lean how it all works and enable it deliberately.

Nick