1.7. Configuring response policy zones in BIND to override DNS records

Procedure

1. Edit the /etc/named.conf file, and make the following changes:

   1. Add a response-policy definition to the options statement:

      options {
          ...
      
          response-policy {
              zone "rpz.local";
          };
      
          ...
      }

      You can set a custom name for the RPZ in the zone statement in response-policy. However, you must use the same name in the zone definition in the next step.

   2. Add a zone definition for the RPZ you set in the previous step:

      zone "rpz.local" {
          type master;
          file "rpz.local";
          allow-query { localhost; 192.0.2.0/24; 2001:db8:1::/64; };
          allow-transfer { none; };
      };

      These settings state:

      • This server is the primary server (type master) for the RPZ named rpz.local.
      • The /var/named/rpz.local file is the zone file. If you set a relative path, as in this example, this path is relative to the directory you set in directory in the options statement.
      • Any hosts defined in allow-query can query this RPZ. Alternatively, specify IP ranges or BIND access control list (ACL) nicknames to limit the access.
      • No host can transfer the zone. Allow zone transfers only when you set up secondary servers and only for the IP addresses of the secondary servers.

2. Verify the syntax of the /etc/named.conf file:

   # named-checkconf

   If the command displays no output, the syntax is correct.

3. Create the /var/named/rpz.local file, for example, with the following content:

   $TTL 10m
   @ IN SOA ns1.example.com. hostmaster.example.com. (
                             2022070601 ; serial number
                             1h         ; refresh period
                             1m         ; retry period
                             3d         ; expire time
                             1m )       ; minimum TTL
   
                    IN NS    ns1.example.com.
   
   example.org      IN CNAME .
   *.example.org    IN CNAME .
   example.net      IN CNAME rpz-drop.
   *.example.net    IN CNAME rpz-drop.

   This zone file:

   • Sets the default time-to-live (TTL) value for resource records to 10 minutes. Without a time suffix, such as h for hour, BIND interprets the value as seconds.
   • Contains the required start of authority (SOA) resource record with details about the zone.
   • Sets ns1.example.com as an authoritative DNS server for this zone. To be functional, a zone requires at least one name server (NS) record. However, to be compliant with RFC 1912, you require at least two name servers.
   • Return an NXDOMAIN error for queries to example.org and hosts in this domain.
   • Drop queries to example.net and hosts in this domain.

   For a full list of actions and examples, see IETF draft: DNS Response Policy Zones (RPZ).

4. Verify the syntax of the /var/named/rpz.local file:

   # named-checkzone rpz.local /var/named/rpz.local
   zone rpz.local/IN: loaded serial 2022070601
   OK

5. Reload BIND:

   # systemctl reload named

   If you run BIND in a change-root environment, use the systemctl reload named-chroot command to reload the service.

Verification

1. Attempt to resolve a host in example.org, that is configured in the RPZ to return an NXDOMAIN error:

   # dig @localhost www.example.org
   ...
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30286
   ...

   This example assumes that BIND runs on the same host and responds to queries on the localhost interface.

2. Attempt to resolve a host in the example.net domain, that is configured in the RPZ to drop queries:

   # dig @localhost www.example.net
   ...
   ;; connection timed out; no servers could be reached
   ...