Technitium DNS server zone high-availability

on
0

BIND9 DNS RPZ

on

Currently using DNSBL, reject unknown reverse client and sender and spam filter to detect spam mails and work out not bad.
I have read about RPZ aka DNS firewall and want to try it out using ubuntu and BIND9 as a forwarding DNS server for PMG.

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-16-04

1. First to install bind9

sudo apt-get install bind9

2. Due to ubuntu 18.04 use systemd-resolved by default, symlink /etc/resolv.conf with systemd-resolved.

sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf

3. Setup bind9 as a forwarding DNS server only. Edit /etc/bind/named.conf.options.

acl allow-networks {
        #192.168.40.0/24;
        192.168.40.106;
        localhost;
        #localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { allow-networks; };

        forwarders {
                192.168.41.180;
                192.168.41.181;
        };
        forward only;

        dnssec-enable yes;
        dnssec-validation yes;

        #dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

4. Configure your client to use this as your DNS server. Try nslookup and dig to test the name resolution.

5. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.

Point your PMG to use this as your DNS server.

Any domain listed by abuse.ch's RPZ will return NXDOMAIN by your DNS server.

Comments

Post a Comment