RPZ Zone Blocker Functions

RPZ Zone Blocker Functions
DMARC

29 July, 2020

RPZ Zone Blocker Functions

 

 

The use of RPZ to implement a simple zone blocker in a recursive server providing the following functionality:

  1. The resolver operator defines the domain names that they wish to block users from accessing in an RPZ zone file. The reasons for doing this may be anything from eliminating access to non essential sites in a work environment blocking sites of a distateful nature where young people may be involved preventing access to sites known to infect PCs with viruses.
  2. When a user attempts to access a domain name that is blocked by the RPZ feature the request may be diverted to a web site or the request may simply be dropped.
  3. The RPZ configuration is flat it does not differentiate in any way between users. All users who access the public Internet via any resolver running this RPZ file will be blocked from those sites defined in the RPZ file.

This domain name blocker uses a trivial subset of the full power of the RPZ feature to keep configuration simple and to minimize the danger of inadvertant collateral damage very easy to do with RPZ.

 

 

 

RPZ named.conf

The RPZ feature is invoked by referencing one or more RPZ zones within a response policy statement in the global options clause. Each RPZ zone must also be defined using a normal zone clause.

RPZ is only possible in a recursive server the named.conf fragment required to invoke RPZ is shown below.

// example.com named.conf fragments relevant to RPZ

// stream the log to separate rpz info

logging{

  channel normal-log{

    // alternatively use default_syslog above to log

    // everything apart from RPZ info to syslog and omit

    // the file statement below

    file "/var/named/named.log" versions 3 size 1m;

    severity info;

  };

  channel named-rpz {

     // change path as appropriate

     file "/var/named/rpz.log" versions 3 size 250k;

     severity info;

  };

  category rpz{

    named-rpz;

  };

  // everything else

  category default{

    normal-log;

  };

};

options {

  ...

  // this must be a recursive server

  recursion on; // the default but good practice

  // CLOSE the server - change IPs as appropriate

  // or use allow-recursion (localnets; localhost;};

  allow-recursion (192.168.2/24;};

  // invoke RPZ

  response-policy {zone "perfume.example.com";};

  ...

  allow-transfer {none;};

  allow-update {none};

};

// RPZ zone definition

zone "perfume.example.com"{

  type master;

  file "master/perfume.example.com";

};

// standard recursive zone files

// hints, localhost forward and reverse maps

// reverse map for 192.168.2/24

RPZ  Zone File

The following commented zone file shows diversion of the various blocked domain names to one or more alternative sites.

; zone file perfume.example.com

$TTL 2h ; default TTL

$ORIGIN perfume.example.com.

; email address is never used

@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h

; name server is never accessed but out-of-zone

         NS  nonexistant.nodomain.none.

 

; divert single domain name www.example.net to

; special web page at explain.example.com

; explain.example.com must have A/AAAA RR

; in the example.com zone file

www.example.net CNAME explain.example.com.

 

; divert whole example.net domain name to

; special web page at explain.example.com

; explain.example.com must have A/AAAA RR

; in the example.com zone file

example.net CNAME explain.example.com.

*.example.net CNAME explain.example.com.

 

; divert just subdomains of example.net domain name to

; special web page at explain.example.com

; allows MX record to be read and web sites of form http://example.net

; but blocks, for instance, www.example.net or ftp.example.com

; explain.example.com must have A/AAAA RR

; in the example.com zone file

*.example.net CNAME explain.example.com.

 

; divert different domains to different locations

; special web pages at explain and noway.example.com

; both noway and explain.example.com must have A/AAAA RRs

; in the example.com zone file

example.net CNAME explain.example.com.

*.example.net CNAME explain.example.com.

example.org CNAME noway.example.com.

*.example.org CNAME noway.example.com.

 

; no response (timeout) a single domain name

; www.example.net

www.example.net CNAME rpz-drop.

 

; no response (timeout) to whole example.net domain name

example.net CNAME rpz-drop.

*.example.net CNAME rpz-drop.

 

; no response (timeout) to subdomains of example.net domain name

; allows MX record to be read and web sites of form http://example.net

; but drops, for instance, www.example.net or ftp.example.com

*.example.net CNAME rpz-drop.

 

 

Request Your Complimentary Domain Analysis