Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
1. Create zone for block using RPZ
[root@server-teguht ~]# cat /var/named/rpz.db
$TTL 1D
@ IN SOA ns1.example.com. root.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns1.example.com.
@ IN A 192.168.7.222
youtube.com IN CNAME @
www.youtube.com IN CNAME @
[root@server-teguht ~]#
2. setting response policy
[root@server-teguht ~]# cat /etc/named.conf
response-policy { zone "teguht.com" policy CNAME testRPZ.com; zone "ns1.example.com";};
zone "ns1.example.com" IN {
type master ;
file "/var/named/rpz.db" ;
} ;
3. Restart named service
[root@server-teguht ~]# systemctl restart named
[root@server-teguht ~]#
4. Testing domain using nslookup and dig
[root@server-teguht ~]# nslookup
> yahoo.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: yahoo.com
Address: 98.138.219.231
Name: yahoo.com
Address: 98.137.246.7
Name: yahoo.com
Address: 72.30.35.9
Name: yahoo.com
Address: 98.137.246.8
Name: yahoo.com
Address: 98.138.219.232
Name: yahoo.com
Address: 72.30.35.10
>
> youtube.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
youtube.com canonical name = ns1.example.com.
Name: ns1.example.com
Address: 192.168.7.222
> exit
[root@server-teguht ~]#
[root@server-teguht ~]# dig @127.0.0.1 yahoo.com
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6836
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A
;; ANSWER SECTION:
yahoo.com. 78 IN A 98.137.246.7
yahoo.com. 78 IN A 72.30.35.10
yahoo.com. 78 IN A 98.138.219.231
yahoo.com. 78 IN A 98.137.246.8
yahoo.com. 78 IN A 98.138.219.232
yahoo.com. 78 IN A 72.30.35.9
;; AUTHORITY SECTION:
yahoo.com. 171073 IN NS ns5.yahoo.com.
yahoo.com. 171073 IN NS ns2.yahoo.com.
yahoo.com. 171073 IN NS ns4.yahoo.com.
yahoo.com. 171073 IN NS ns1.yahoo.com.
yahoo.com. 171073 IN NS ns3.yahoo.com.
;; ADDITIONAL SECTION:
ns1.yahoo.com. 171073 IN A 68.180.131.16
ns1.yahoo.com. 171073 IN AAAA 2001:4998:130::1001
ns5.yahoo.com. 171073 IN A 119.160.253.83
ns2.yahoo.com. 171073 IN A 68.142.255.16
ns2.yahoo.com. 171073 IN AAAA 2001:4998:140::1002
ns3.yahoo.com. 171073 IN A 203.84.221.53
ns3.yahoo.com. 171073 IN AAAA 2406:8600:b8:fe03::1003
ns4.yahoo.com. 171073 IN A 98.138.11.157
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 15 15:41:26 WIB 2019
;; MSG SIZE rcvd: 388
[root@server-teguht ~]#
[root@server-teguht ~]# dig @127.0.0.1 youtube.com
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> @127.0.0.1 youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 5 IN CNAME ns1.example.com.
ns1.example.com. 86400 IN A 192.168.7.222
;; AUTHORITY SECTION:
ns1.example.com. 86400 IN NS ns1.example.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 15 15:42:05 WIB 2019
;; MSG SIZE rcvd: 96
[root@server-teguht ~]#
[root@server-teguht ~]# curl -XGET yahoo.com
redirect[root@server-teguht ~]#
[root@server-teguht ~]#
[root@server-teguht ~]# curl -XGET youtube.com
curl: (7) Failed connect to youtube.com:80; No route to host
[root@server-teguht ~]#
No comments:
Post a Comment