This tutorial shows you how to overwrite public DNS records in your BIND DNS resolver using the Policy Response Zone (RPZ) for CentOS/RHEL.

What is an intervention policy area?

The Response Policy Zone (RPZ) allows the DNS resolver to change DNS records. It was originally designed as a way to block access to dangerous websites. For example, if a computer requests the IP address of a known malicious site, the DNS resolver can return 127.0.0.1 as the DNS response so that the computer cannot connect to the malicious site. This is an original use. As such, the policy response zone is also referred to as the DNS server.

You can also use the RPN in other ways. For example, for example..,

  • If you have self-hosting services such as Nextcloud on your local network, you can use the RPN to redirect your nextcloud domain (nextcloud.yourdomain.com) to your local IP address so you don’t have to go online and then back to your local network to access the nextcloud server.
  • Parents can use RPZ to prevent their children from accessing pornographic sites.
  • You can block unwanted advertisements.

Yes, you can create a DNS record in the /etc/hosts file on your local computer to overwrite public DNS records, but this is not very scalable. In addition, iOS and Android do not allow the creation of local DNS records. Isn’t it great if the BIND DNS resolver overwrites the public DNS record so that all devices in the network that use the BIND resolver can use the custom DNS record?

Requirements

To follow these instructions, it is assumed that a BIND DNS resolver is running on your CentOS/RHEL server. If not, read the following BIND resolution configuration guide.

Once your BIND resolver has started, follow the instructions below.

Definition of the BIND response area on the CentOS/RHEL server

Start editing the name.conf file with a command line text editor such as Nano.

sudo nano /etc/named.conf

Add the following lines to the {…} option to activate the response policy area. (First line – Comment.)

// Policy area of response.
Response policy area {
Local rpz.gebied;
} ;

Set Response Policy Zone (RPZ) in the CentOS / RHEL BIND Resolver

Then scroll to the end of this file and add the RPN field to this file.

Zone rpz.local { master type
; file
db.rpz.local; assignable
{ local host; }; assignable
{ 12.34.56.78; };
} ;

Comments :

  • It is important that you use the absolute path in the file directive instead of just the filename, otherwise BIND will assume the file is in /var/cache/bind/.
  • ERR zones may only allow applications from local hosts.
  • Replace 12.34.56.78 with the IP address of the BIND slave DNS resolver enabling zone transfer. If there is only one DNS resolver, you can use localhost as follows: allow-transfer { localhost; } ;

Set Response Policy Zone (RPZ) in the CentOS / RHEL BIND Resolver

It is recommended to use a separate log file for the RPN to better analyze the log, so add {…} add an entry to the log.

channel rpzlog {file /var/log/name/rpz.log unlimited format version 10 print time yes;print category yes;print gravity information yes;};category rpz { rpzlog; } ;

Set Response Policy Zone (RPZ) in the CentOS / RHEL BIND Resolver

Save the file and close it. Then create the directory /var/log/ with the name/ and specify the name of the owner.

sudo mkdir /var/log/named/
sudo chown named:name /var/log/named/ -R

Then we need to create a zone file. Instead of creating a zone file from scratch, we can use a zone template file. Copy the contents of db.empty to a new file.

sudo cp /var/name.empty /var/name/rpz.local

Edit the field file.

sudo nano /var/name/rpz.local

There is no need to change existing content. We just add our custom DNS records. For example, if you have a Nextcloud server on your local network with the IP address 192.168.0.103, add the following DNS information so that Nextcloud clients do not need to connect to the Nextcloud server.

nextcloud.your-domain.com A 192.168.0.103

If you do not want your children to visit pornographic websites such as pornhub.com, add the following line to this file to block the entire pornhub.com domain

*.pornhub.com CNAME. *

If you don’t want to see Google Adsense ads on web pages, you can add the following line to block the domain doubleclick.net used to display Adsense ads

*.doubleclick.net CNAME.

To overwrite the MX record of a domain name, add a line as shown below.

example.com MX 0 mail.example.com.

Note that all names on the left may NOT end with a dot and all names on the right may NOT end with a dot.

Set Response Policy Zone (RPZ) in the CentOS / RHEL BIND Resolver
Save and close the file. Then we have to set the name as owner of the file group /var/named/rpz.local, otherwise the name will not be able to load this field.

sudo chown root: name /var/name/rpz.local

Then run the following command to check the main configuration file for syntax errors A silent output means that no errors have been found.

Check the name of the ship

Then check the syntax of the RPN field files.

sudo name check zone rpz /var/name/rpz.local

If no errors are detected, restart BIND.

sudo systemctl Reboot with the name

You can now run the dig command on the BIND server to check if the RPN is working. For example, request a DNS record for a domain name included in the policy response zone.

Dig a new cloud: votre-domaine.com @127.0.0.1

You should see something similar at the bottom of the command results, indicating that the DNS response was sent by the local RPN.

AUTHORITY SECTION:
rpz.local 86400 IN NS localhost.

You can also view the query log of BIND9.

Sudostaart /var/log/name/rpz.log

Below you can see something like this, which means that the answer comes from the local RPZ.

(example.com): rpz QNAME QNAME Local data overwrite example.com via example.com.rpz.local

Use of ETFs with freight forwarders

If you add the fowarders directive, as shown below in the options in /etc/named.conf, then your BIND resolver will be the sender forwarding DNS queries to a higher level DNS resolver, such as 8.8.8.

options {/ listen-on port 53 { 127.0.0.1; };// listen-on-v6 port 53 { ::1; }; directory/var/named;max-cache-size 10 dump file /var/named/data/cache_dump.db;statistics-file /var/named/data/named_stats.txt;mem statistics file /var/named/data/named_mem_stats.txt;secroots file /var/named/data/named.secroots;recurrent file /var/named/data/named.recursing;allow-request { localhost; 10.10.60.0/24;} ;

// Policy area of response.
Response policy area {
Local rpz.gebied;
} ;

Carriers {
8.8.8;
8.8.4.4;
};

} ;

The Response policy area works with this carrier parameter. Bind will first question the local response policy area. If the DNS record is not found in the RPN, the request is forwarded to the top-level DNS resolver.

FieldTransfer adjustment

If you have another BIND DNS resolver, you can configure it as a slave resolver to automatically receive updates from the DNS master.

First, you must edit the /etc/named.conf file in the master of the DNS resolver.

sudo nano /etc/named.conf

Add the IP address of the slave DNS resolver to the allow-transfer declaration.

zone rpz.local { master type
; file
/etc/bind/db.rpz.local; request for recipient
{ local host; }; recipient
{ 12.34.56.78; }; recipient
– notification { 12.34.56.78; };
– notification } ;

If you have multiple slave DNS resolvers, add more than one IP address, as follows

Allotransplantation { 12.34.56.78; 12.34.56.79; } ;

The As Notification command forces the master DNS resolver to send a notification to the slave converter when the RPN changes. Save the file and close it. Restart BIND to make the changes take effect.

sudo systemctl Reboot with the name

If the master DNS resolver has a firewall, you must allow the slave DNS resolver to connect to port 53.

sudo firewall-cmd –permanent –add-rich-rule=’rule family=ipv4-source address=12.34.56.78 accept’
reload sudo systemctl firewalld

Then change the /etc/named.conf file in the slave DNS resolver.

sudo nano /etc/named.conf

Add the following lines to the {…} option to activate the response policy area. (First line – Comment.)

// Policy area of response.
Response policy area {
Local rpz.gebied;
} ;

Then add the RPN workspace at the end of this file. Replace 11.22.33.44 with the IP address of the main DNS resolver.

Zone rpz.local { slave type; filerpz.local; wizards{ 11.22.33.44; } ; allo notification{ no; } ; allo notification{ local host; } ;

Save the file and close it.

You also need to configure the firewall of the slave inverter so that the DNS resolver can send notification messages to the master.

sudo firewall-cmd –permanent –add-rich-rule=’rule family=ipv4-source address=11.22.33.44 accept’
reload sudo systemctl firewalld

Then run the following command to check the main configuration file for syntax errors. A silent output means that no errors have been found.

Check the name of the ship

If no errors are detected, restart BIND.

sudo systemctl Reboot with the name

After restarting BIND, the zone transfer starts immediately. Check the BIND9 protocol with the following command.

sudo journalctl -eu name

You can see messages indicating a successful field transfer, as shown below.

transfer rpz.local/IN from xx.xx.xx.xx#53 : Transmission status: successful transmission
rpz.local/IN of xx.xx.xx#53 : Transmission completed: 1 message, 34 inputs, 899 bytes, 0.248 seconds (3625 bytes/sec).

The zone file is stored in the slave resolver under the name /var/name/rpz.local.

Pay attention: If the RPN of the primary resolver is changed, the serial number must be updated. Expand it so the slave-drivers know that the RPN field has changed.

Creating multiple ERUs Field

Sometimes you do not want certain DNS items to be transferred to slave processors. You can create a separate RPN field. Edit the /etc/named.conf file.

sudo nano /etcamed.conf

Add a new RPN.

// Policy area of response.
Political reaction zone {
zone rpz.local;
zone rpz.local.notransfer;
} ;

Add a new field definition at the end of this file.

zone rpz.local.notransfer { master type
; file
/var/name/rpz.local.notransfer ; allographic request
{ localhost ; } ; allographic request
{ localhost ; } ;
} ;

Save the file and close it. Then we need to create a zone file. Instead of creating a zone file from scratch, we can use a zone template file. Copy the contents of name.empty to a new file.

sudo cp /var/name.empty /var/name/rpz.local.nontransfer

Edit the field file.

ship-nano /var/name/pz.local.notransfer

Packaging

I hope this tutorial has helped you configure the CentOS/RHEL response policy/DNS area. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.

Evaluate this training manual.

On second thought: 0 Average : 0]response policy zone rfc,bind return nxdomain,infoblox rpz,dns rpz windows server,open source dns firewall,bind9 configuration