0

I wanted to take my existing internal DNS Bind servers and add some RPZ security. Previously I had split DNS with my internal view set to forward 3 specific domains to my offices internal DNS servers.

    zone "company.tld" IN {
            type forward;
            forward only;
            forwarders { 
                    10.10.161.1;
                    10.11.161.1;
                    };

Which worked great. Once I added RPZ after signing up with a transfer provider:

    response-policy {
    zone "oisd-full.ioc2rpz" policy nxdomain;
    } 
    qname-wait-recurse no break-dnssec yes;

I can see my RPZ working great, but my forwarded zone is being caught in the RPZ. (Yeah, one of many companies I have worked for that inadvertently used an internal TLD that is now on someone's naughty list).

I tried making this domain a whitelist, but bind requires that my zone definition be a MASTER or SLAVE type, not a forward.

I am not finding a good example of anyone that has got both features to work.. IE: Allow Bind to either look at all it's local zones first, before RPZ, or tag a whitelist so that it still looks at it's view configuration for answers if it is marked passthru.

Ideas?

Nick Ellson
  • 1

1 Answers1

0

While debugging more (enabling lot's of logs) I got to the root of the issue. When I updated Bind9 to support RPZ, I did not realize I had enabled DNSSEC and my forwarder was failing trust chain (as it has none). I globally disabled DNSSEC deliberately and my RPZ whitelist with my company AD Domain in my whitelist zone as PASSTHRU now works.

Now I am off to learn DNSSEC so I can better understand it, and shutting of my query logging before my disk fills up.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
Nick Ellson
  • 1