How to block domains using Bind / Named for local protection?
Blocking domain names at a DNS level is a bad idea, see this document: http://www.afnic.fr/medias/documents/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf
Also, it is a bad idea to mix recursive and authoritative functions in the same instance.
However if you need to do DNS firealling, there is a specific feature supported by BIND (and some other nameservers), called RPZ for Response Policy Zones.
See https://dnsrpz.info/ for all details but in short:
Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
Specifically for BIND search the section "Response Policy Zone (RPZ) Rewriting" in ftp://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html
It will give you this example that will work out of the box for your need, as soon as you put the correct domain names:
For example, you might use this option statement
response-policy { zone "badlist"; };
and this zone statement
zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };
with this zone file
$TTL 1H
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
; QNAME policy records. There are no periods (.) after the owner names.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
I am trying to sinkhole/blackhole a list of domains using bind. I think my issue is using "Include" in the WRONG place on the conf. Can someone confirm the blacklist line of code is in the right place?
include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; }; options { directory "/var/named"; // the default pid-file "/var/run/named/named.pid"; dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; allow-transfer {"none";}; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view "localhost_resolver" { include "/var/named/blacklist.zones"; //RIGHT HERE!!!!!!!!!!!!!! match-clients { 127.0.0.1/32; }; match-destinations { localhost; }; recursion yes; zone "." IN { type hint; file "/var/named/named.ca"; }; include "/var/named/named.rfc1912.zones"; }; view "internal" { match-clients { localnets; }; match-destinations { localnets; }; recursion yes; zone "." IN { type hint; file "/var/named/named.ca"; }; zone "my.real.domain" { type master; file "/var/named/my.real.domain.zone"; }; }; view "external" { recursion no; zone "." IN { type hint; file "/var/named/named.ca"; }; zone "my.real.domain" { type master; file "/var/named/my.real.domain.zone"; }; };
I could only get named service to start by putting it there. Log shows that the domains are loaded. Blacklist simply fw to 127.0.0.1, so this seems to work. When I
dig @127.0.0.1 blacklisted.domain
I get successful answer, pointing to 127 .. and the configured nameserver. But when I
ping blacklisted.domain
it pings the real ip, it resolves through the DNS. Can someone shed some light? I simply want to block a list of domains from local access. I know, I love dnsmasq too.
-
Admin over 6 yearsUsing Rhel7 fyi. I want to use these resources dns-bh.sagadc.org
-
Admin over 6 years"When I
dig @127.0.0.1 blacklisted.domain
I get successful answer, pointing to 127 .. and the configured nameserver." - This means that the bind setup itself seems to work, which was the security relevant part. "But when Iping blacklisted.domain
it pings the real ip, it resolves through the DNS." - this suggests that ping is not using the name server you have configured to blacklist IP. Make sure/etc/resolv.conf
is configured correctly to point to this nameserver. Also, it is off-topic on how to configure your system to use the correct DNS server, try superuser.com instead. -
Admin over 6 yearsSorry, I wasn't sure either, I thought "security"... YES, ping is using resolv.conf, which in turn has the usual 8.8.8.8 what should I change this to? literally the same NS i am using on the block? then how will any other domain be queried?
-
Admin over 6 yearsThe bind configuration might have been security, but this configuration was already working, Configuring which DNS server to use is normal system configuration which has nothing to do with information security, i.e. off-topic. Also, the 8.8.8.8 was probably configured by you already so just configure it to use 127.0.0.1 in the same place instead. But again, it's off-topic and try superuser.com.
-
Admin over 6 yearsWhy is 8.8.8.8 "usual" in
/etc/resolv.conf
? Specifically when/if you run a local recursive nameserver this makes no sense. Also try9.9.9.9
for a change instead ;-)
-
-
Ed Daniel over 6 yearsGood answer, up-voted, also suggest to share RPZ OSINT resources here: dnsrpz.info
-
Admin over 6 yearsThese two lines absolutely do not answer the question on how to block some domains in bind. You absolutely never showed that you were using RPZ...
-
Admin almost 3 yearsit only limit the query to the local ip and forwards the rest