DNS query filtering
Starting with version 9.8.1 of the DNS server bind, a new feature has appeared - DNS RPZ. This is an interesting tool that can be very useful for many system administrators. Strange, but in the Russian-speaking segment of the Internet, this topic is completely not covered. I hasten to fill this gap.
The abbreviation RPZ stands for response policy zone - a zone with a response policy. This is a technology developed by ISC that provides communications operators with an easy way to block DNS requests to certain resources or redirect them to an alternate address. RPZ is a zone that can be transferred between servers (DNS AXFR / IXFR), protected by transaction signatures (DNS TSIG) and updated in real time (DNS NOTIFY).
As with any other DNS zone, a SOA record and at least one NS record are required. SOA is a valid, serial number and timers record used to delegate a zone and indicating the lifetime of the records (TTL). The NS record is never used and is for compatibility. Normally, a single NS record has a fake localhost value. The rest of the zone is an expression for DNS policies. Policies can be applied to domain names or to their patterns.
Simplified work RPZ can be represented by the following scheme:
The right side shows the scheme of working with a regular caching DNS server, which returns all the answers from the horse servers to the client as is. In the case of RPZ, the Security Policy Provider (Security Policy Provider) appears - the DNS server from which we take domain name resolution policies. The presence of a third-party provider is completely optional; we can set our own local policies. More on this later, for example.
')
There may be several providers, including we can create our own RPZ server:
For more information about the work of the protocol can be found in the official documentation (links below) - I think those who need the details will master it themselves.
We will show the work of RPZ on the example of working configs. This means that you already have a configured DNS server, I will only show you the options that you need to enable in order for it to work. The action takes place in Ubuntu 12.10.
First, in the /etc/bind/named.conf.options file, using the response-policy option, enable the RPZ:
Inside the “response-policy” there may be several zones, and each may have its own policy (see the specification for details).
In the /etc/bind/named.conf.local file we put the zone description:
And finally, the zone itself (file /etc/bind/db.rpz.zone):
Apply new settings:
and see what happened with us:
As can be seen from the server's response, the address is replaced by habrahabr.ru.
In the browser we will see the following:
Of course, we can make a substitution on our internal server, which, for example, will inform the client that access to the requested domain is prohibited by the security policy.
Here the request remained unanswered. The same will happen with any subdomain gov.by:
It is not difficult to guess that all subdomains of the blabla.com domain will be replaced with the address 1.2.3.4, and all domains of the xxx zone will be replaced with localhost.
I will explain the last line of the zone separately. As a small provider in a provincial town, we often encounter the problem of completely tough users, for whom typing the address of our home page is an impossible task (and this is the starting point for all our internal resources).
The case sometimes comes to comic cases when tech support is hysterical with its head on the table. This is what this record was created for. A client needs to type “1.by” in the address bar of the browser (without quotes), and he will go where it should be:
And so that such a disgrace does not put an eye to the eyes of more or less literate users, the “1.by” host is redirected to the valid server address by means of a web server (RewriteRule in Apache).
References:
ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ
What kind of animal is it and what is it eaten with?
The abbreviation RPZ stands for response policy zone - a zone with a response policy. This is a technology developed by ISC that provides communications operators with an easy way to block DNS requests to certain resources or redirect them to an alternate address. RPZ is a zone that can be transferred between servers (DNS AXFR / IXFR), protected by transaction signatures (DNS TSIG) and updated in real time (DNS NOTIFY).
Zone format
As with any other DNS zone, a SOA record and at least one NS record are required. SOA is a valid, serial number and timers record used to delegate a zone and indicating the lifetime of the records (TTL). The NS record is never used and is for compatibility. Normally, a single NS record has a fake localhost value. The rest of the zone is an expression for DNS policies. Policies can be applied to domain names or to their patterns.
How does it work
Simplified work RPZ can be represented by the following scheme:
The right side shows the scheme of working with a regular caching DNS server, which returns all the answers from the horse servers to the client as is. In the case of RPZ, the Security Policy Provider (Security Policy Provider) appears - the DNS server from which we take domain name resolution policies. The presence of a third-party provider is completely optional; we can set our own local policies. More on this later, for example.
')
There may be several providers, including we can create our own RPZ server:
For more information about the work of the protocol can be found in the official documentation (links below) - I think those who need the details will master it themselves.
We will show the work of RPZ on the example of working configs. This means that you already have a configured DNS server, I will only show you the options that you need to enable in order for it to work. The action takes place in Ubuntu 12.10.
First, in the /etc/bind/named.conf.options file, using the response-policy option, enable the RPZ:
response-policy { zone "rpz.zone"; }; Inside the “response-policy” there may be several zones, and each may have its own policy (see the specification for details).
In the /etc/bind/named.conf.local file we put the zone description:
zone "rpz.zone" { type master; file "/etc/bind/db.rpz.zone"; allow-query {any;}; allow-update {none;}; }; And finally, the zone itself (file /etc/bind/db.rpz.zone):
;RPZ $TTL 10 @ IN SOA rpz.zone. rpz.zone. ( 5; 3600; 300; 86400; 60 ) IN NS localhost. vk.com CNAME habrahabr.ru. *.gov.by CNAME . gov.by MX 0 gmail.com. *.blabla.com A 1.2.3.4 *.xxx A 127.0.0.1 1.by CNAME abcde-net.by. Apply new settings:
sudo rndc reload and see what happened with us:
dig vk.com ; <<>> DiG 9.8.1-P1 <<>> vk.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11880 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vk.com. IN A ;; ANSWER SECTION: vk.com. 10 IN CNAME habrahabr.ru. habrahabr.ru. 466 IN A 212.24.43.44 ;; Query time: 0 msec ;; SERVER: 192.168.3.204#53(192.168.3.204) ;; WHEN: Thu Apr 25 00:56:49 2013 ;; MSG SIZE rcvd: 66 As can be seen from the server's response, the address is replaced by habrahabr.ru.
In the browser we will see the following:
Of course, we can make a substitution on our internal server, which, for example, will inform the client that access to the requested domain is prohibited by the security policy.
dig gov.by ; <<>> DiG 9.8.1-P1 <<>> gov.by ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10961 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;gov.by. IN A ;; AUTHORITY SECTION: rpz.zone. 10 IN SOA rpz.zone. rpz.zone. 8 3600 300 86400 60 ;; Query time: 11 msec ;; SERVER: 192.168.3.204#53(192.168.3.204) ;; WHEN: Thu Apr 25 00:59:18 2013 ;; MSG SIZE rcvd: 68 Here the request remained unanswered. The same will happen with any subdomain gov.by:
It is not difficult to guess that all subdomains of the blabla.com domain will be replaced with the address 1.2.3.4, and all domains of the xxx zone will be replaced with localhost.
I will explain the last line of the zone separately. As a small provider in a provincial town, we often encounter the problem of completely tough users, for whom typing the address of our home page is an impossible task (and this is the starting point for all our internal resources).
The case sometimes comes to comic cases when tech support is hysterical with its head on the table. This is what this record was created for. A client needs to type “1.by” in the address bar of the browser (without quotes), and he will go where it should be:
And so that such a disgrace does not put an eye to the eyes of more or less literate users, the “1.by” host is redirected to the valid server address by means of a web server (RewriteRule in Apache).
References:
ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
kb.isc.org/category/110/0/10/Software-Products/BIND9/Features/DNSRPZ
Source: https://habr.com/ru/post/177649/
All Articles