what’s RPZ ? plz see below link :)
ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
You can check RPZ functions w/ BIND 9.8.x.
I checked out RPZ on BIND 9.8.0b1 which is available at www.isc.org.
BIND 9.7.3 rc1 doesn’t seem to have PRZ features.
I compiled BIND 9.8.0b1 on Ubuntu 10.04 w/ following options
[ Quick test ]
edit named.conf.
create RPZ file.
start BIND.
- qname bad1.domain , all query types matches “bad1.domain IN CNAME walled-garden.localhost.”
BIND will return NXDOMAIN and CNAME walled-garden.localhost in answer section.
query type : A
query tyep : MX
query type : SOA
- subdomains of bad1.domain matches “ *.bad1.domain IN CNAME walled-garden.localhost. “
- CNAME *. returns NOERROR
bad2.domain IN CNAME *.
*.bad2.domain IN CNAME *.
- CNAME . returns NXDOMAIN
bad3.domain IN CNAME .
*.bad3.domain IN CNAME .
- in the following case , only subdomains of bad4.domain will be affected
you can write specific query names n’ query types in RPZ.
*.bad4.domain IN MX 0 mail.hello.com.
*.bad4.domain IN A 192.168.0.10
bad4.domain will not be affected.
query type MX matches *.bad4.domain IN MX 0 mail.hello.com.
query type A matches *.bad4.domain IN A 192.168.0.10
As for query types except for A n’ MX , there are no RRs in the RPZ.
In that case , BIND will return NOERROR and auth section.
- you can set policy how BIND respond
when specifying NO-OP , BIND won’t change any answers if BIND receives queries that matches RPZ..
query “www.bad5.domain” maches “www.bad5.domain IN A 192.168.0.10” RR.
However BIND won’t change answers because I specified “policy NO-OP”.
Thx for dorpping by :)
ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
You can check RPZ functions w/ BIND 9.8.x.
I checked out RPZ on BIND 9.8.0b1 which is available at www.isc.org.
BIND 9.7.3 rc1 doesn’t seem to have PRZ features.
I compiled BIND 9.8.0b1 on Ubuntu 10.04 w/ following options
| 1603 ./configure --sysconfdir=/etc/bind 1604 make 1605 make install |
[ Quick test ]
| # /usr/local/sbin/named -v BIND 9.8.0b1 |
edit named.conf.
| options { #add for RPZ response-policy { zone "rpz.zone"; }; }; # define RPZ zone "rpz.zone" { type master; file "db.rpz.zone"; allow-query { any; }; allow-update { none; }; }; |
create RPZ file.
| # cat /var/cache/bind/db.rpz.zone ;RPZ $TTL 10 @ IN SOA rpz.zone. rpz.zone. ( 01; 3600; 300; 86400; 60 ) IN NS localhost. bad1.domain IN CNAME walled-garden.localhost. *.bad1.domain IN CNAME walled-garden.localhost. bad2.domain IN CNAME *. *.bad2.domain IN CNAME *. bad3.domain IN CNAME . *.bad3.domain IN CNAME . *.bad4.domain IN MX 0 mail.hello.com. *.bad4.domain IN A 192.168.0.10 www.bad5.domain IN A 192.168.0.10 |
start BIND.
| root@ubuntu-7:~# /usr/local/sbin/named root@ubuntu-7:~# rndc status version: 9.8.0b1 number of zones: 21 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running |
- qname bad1.domain , all query types matches “bad1.domain IN CNAME walled-garden.localhost.”
BIND will return NXDOMAIN and CNAME walled-garden.localhost in answer section.
query type : A
| root@ubuntu-7:~# dig @127.1 bad1.domain a ; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45819 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad1.domain. IN A ;; ANSWER SECTION: bad1.domain. 10 IN CNAME walled-garden.localhost. ;; AUTHORITY SECTION: localhost. 0 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 |
query tyep : MX
| root@ubuntu-7:~# dig @127.1 bad1.domain mx ; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13597 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad1.domain. IN MX ;; ANSWER SECTION: bad1.domain. 10 IN CNAME walled-garden.localhost. ;; AUTHORITY SECTION: localhost. 0 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 |
query type : SOA
| root@ubuntu-7:~# dig @127.1 bad1.domain soa ; <<>> DiG 9.8.0b1 <<>> @127.1 bad1.domain soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34548 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad1.domain. IN SOA ;; ANSWER SECTION: bad1.domain. 10 IN CNAME walled-garden.localhost. ;; AUTHORITY SECTION: localhost. 0 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 |
- subdomains of bad1.domain matches “ *.bad1.domain IN CNAME walled-garden.localhost. “
| root@ubuntu-7:~# dig @127.1 abc.bad1.domain a ; <<>> DiG 9.8.0b1 <<>> @127.1 abc.bad1.domain a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19603 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc.bad1.domain. IN A ;; ANSWER SECTION: abc.bad1.domain. 10 IN CNAME walled-garden.localhost. ;; AUTHORITY SECTION: localhost. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800 |
- CNAME *. returns NOERROR
bad2.domain IN CNAME *.
| root@ubuntu-7:~# dig @127.1 bad2.domain mx ; <<>> DiG 9.8.0b1 <<>> @127.1 bad2.domain mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40737 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad2.domain. IN MX ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 2011012502 3600 300 86400 60 |
*.bad2.domain IN CNAME *.
| root@ubuntu-7:~# dig @127.1 abc.bad2.domain any ; <<>> DiG 9.8.0b1 <<>> @127.1 abc.bad2.domain any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57563 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc.bad2.domain. IN ANY ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 2011012502 3600 300 86400 60 |
- CNAME . returns NXDOMAIN
bad3.domain IN CNAME .
| root@ubuntu-7:~# dig @127.1 bad3.domain aaaa ; <<>> DiG 9.8.0b1 <<>> @127.1 bad3.domain aaaa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29273 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad3.domain. IN AAAA ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 2011012502 3600 300 86400 60 |
*.bad3.domain IN CNAME .
| root@ubuntu-7:~# dig @127.1 zzz.bad3.domain mx ; <<>> DiG 9.8.0b1 <<>> @127.1 zzz.bad3.domain mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5448 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;zzz.bad3.domain. IN MX ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 2011012502 3600 300 86400 60 |
- in the following case , only subdomains of bad4.domain will be affected
you can write specific query names n’ query types in RPZ.
*.bad4.domain IN MX 0 mail.hello.com.
*.bad4.domain IN A 192.168.0.10
bad4.domain will not be affected.
| root@ubuntu-7:~# dig @127.1 bad4.domain a ; <<>> DiG 9.8.0b1 <<>> @127.1 bad4.domain a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bad4.domain. IN A ;; AUTHORITY SECTION: . 10729 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011012401 1800 900 604800 86400 |
query type MX matches *.bad4.domain IN MX 0 mail.hello.com.
| root@ubuntu-7:~# dig @127.1 bbb.bad4.domain mx ; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;bbb.bad4.domain. IN MX ;; ANSWER SECTION: bbb.bad4.domain. 10 IN MX 0 mail.hello.com. ;; AUTHORITY SECTION: rpz.zone. 10 IN NS localhost. ;; ADDITIONAL SECTION: localhost. 604800 IN A 127.0.0.1 localhost. 604800 IN AAAA ::1 |
query type A matches *.bad4.domain IN A 192.168.0.10
| root@ubuntu-7:~# dig @127.1 bbb.bad4.domain a ; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8534 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;bbb.bad4.domain. IN A ;; ANSWER SECTION: bbb.bad4.domain. 10 IN A 192.168.0.10 ;; AUTHORITY SECTION: rpz.zone. 10 IN NS localhost. ;; ADDITIONAL SECTION: localhost. 604800 IN A 127.0.0.1 localhost. 604800 IN AAAA ::1 |
As for query types except for A n’ MX , there are no RRs in the RPZ.
In that case , BIND will return NOERROR and auth section.
| root@ubuntu-7:~# dig @127.1 bbb.bad4.domain ns ; <<>> DiG 9.8.0b1 <<>> @127.1 bbb.bad4.domain ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25888 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bbb.bad4.domain. IN NS ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 2011012502 3600 300 86400 60 |
- you can set policy how BIND respond
| # response-policy { zone "rpz.zone"; }; response-policy { zone "rpz.zone" policy NO-OP; }; |
when specifying NO-OP , BIND won’t change any answers if BIND receives queries that matches RPZ..
query “www.bad5.domain” maches “www.bad5.domain IN A 192.168.0.10” RR.
However BIND won’t change answers because I specified “policy NO-OP”.
| root@ubuntu-7:~# dig @127.1 www.bad5.domain ; <<>> DiG 9.8.0b1 <<>> @127.1 www.bad5.domain ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40398 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.bad5.domain. IN A ;; AUTHORITY SECTION: . 10782 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011012501 1800 900 604800 86400 |
Thx for dorpping by :)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.