Thursday, August 15, 2019

.::: Block a domain using RPZ on Bind DNS server on CentOS 7 Redhat 7 8 9 :::.

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

1. Create zone for block using RPZ

[root@server-teguht ~]# cat /var/named/rpz.db
$TTL 1D
@    IN SOA ns1.example.com. root.example.com. (
                                        0      ;   serial
                                        1D     ;   refresh
                                        1H     ;   retry
                                        1W      ;  expire
                                        3H )     ; minimum
@ IN NS ns1.example.com.
@ IN A 192.168.7.222

youtube.com IN CNAME @
www.youtube.com IN CNAME @
[root@server-teguht ~]#

2. setting response policy
[root@server-teguht ~]# cat /etc/named.conf

response-policy { zone "teguht.com" policy CNAME testRPZ.com; zone "ns1.example.com";};


zone "ns1.example.com"  IN {
type master ;
file "/var/named/rpz.db" ;
} ;

3. Restart named service
[root@server-teguht ~]# systemctl restart named
[root@server-teguht ~]#

4. Testing domain using nslookup and dig

[root@server-teguht ~]# nslookup
> yahoo.com
Server:        127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
Name:    yahoo.com
Address: 98.138.219.231
Name:    yahoo.com
Address: 98.137.246.7
Name:    yahoo.com
Address: 72.30.35.9
Name:    yahoo.com
Address: 98.137.246.8
Name:    yahoo.com
Address: 98.138.219.232
Name:    yahoo.com
Address: 72.30.35.10
>
> youtube.com
Server:        127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
youtube.com    canonical name = ns1.example.com.
Name:    ns1.example.com
Address: 192.168.7.222
> exit

[root@server-teguht ~]#

[root@server-teguht ~]# dig @127.0.0.1 yahoo.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> @127.0.0.1 yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6836
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.com.            IN    A

;; ANSWER SECTION:
yahoo.com.        78    IN    A    98.137.246.7
yahoo.com.        78    IN    A    72.30.35.10
yahoo.com.        78    IN    A    98.138.219.231
yahoo.com.        78    IN    A    98.137.246.8
yahoo.com.        78    IN    A    98.138.219.232
yahoo.com.        78    IN    A    72.30.35.9

;; AUTHORITY SECTION:
yahoo.com.        171073    IN    NS    ns5.yahoo.com.
yahoo.com.        171073    IN    NS    ns2.yahoo.com.
yahoo.com.        171073    IN    NS    ns4.yahoo.com.
yahoo.com.        171073    IN    NS    ns1.yahoo.com.
yahoo.com.        171073    IN    NS    ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.        171073    IN    A    68.180.131.16
ns1.yahoo.com.        171073    IN    AAAA    2001:4998:130::1001
ns5.yahoo.com.        171073    IN    A    119.160.253.83
ns2.yahoo.com.        171073    IN    A    68.142.255.16
ns2.yahoo.com.        171073    IN    AAAA    2001:4998:140::1002
ns3.yahoo.com.        171073    IN    A    203.84.221.53
ns3.yahoo.com.        171073    IN    AAAA    2406:8600:b8:fe03::1003
ns4.yahoo.com.        171073    IN    A    98.138.11.157

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 15 15:41:26 WIB 2019
;; MSG SIZE  rcvd: 388

[root@server-teguht ~]#

[root@server-teguht ~]# dig @127.0.0.1 youtube.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> @127.0.0.1 youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com.            IN    A

;; ANSWER SECTION:
youtube.com.        5    IN    CNAME    ns1.example.com.
ns1.example.com.    86400    IN    A    192.168.7.222

;; AUTHORITY SECTION:
ns1.example.com.    86400    IN    NS    ns1.example.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 15 15:42:05 WIB 2019
;; MSG SIZE  rcvd: 96

[root@server-teguht ~]#

5. Testing domain using url or curl

[root@server-teguht ~]# curl -XGET yahoo.com
redirect[root@server-teguht ~]#
[root@server-teguht ~]#
[root@server-teguht ~]# curl -XGET youtube.com
curl: (7) Failed connect to youtube.com:80; No route to host
[root@server-teguht ~]#


No comments:

Post a Comment

Popular Posts