Setting up BIND RPZ - Paiet/SEC-440-Webmin GitHub Wiki

Let's say, you have a production web application with a load of users. Your application is only accessible to those users who are logged in. You want to make sure that the requests from only authenticated users are routed to your application.

You can use named virtual routing or Response Policy Zones to achieve this behavior. BIND9 Resolver can respond to a request based on a set of named zones that are mapped to a specific policy of the response.

RPZ is a feature that allows you to define policies for mapping a zone to a set of IP addresses and/or a set of name servers. BIND9 Resolver offers a response policy zone module that can be used to set up a zone in BIND resolver. In this blog, we will see how to set up a zone in BIND resolver and its uses.

--

How to Set Up BIND Resolver

Installing BIND9 Resolver is easy. Just run the following command on Debian/Ubuntu:

sudo apt-get install bind9

After installing, you will need to configure the server.

First, open the file /etc/bind/named.conf.options for editing: sudo vim /etc/bind/named.conf.options

And add the following lines of code at the end of the file:

include "/etc/bind/named.conf.rpz";

zone "rpz" { type master; file "/etc/bind/rpz"; };

--

What is a Response Policy Zone?

RPZ is a feature that allows you to define policies for mapping a zone to a set of IP addresses and/or a set of name servers. BIND9 Resolver offers a response policy zone module that can be used to set up a zone in BIND resolver.

A response policy zone is defined by:

  • A list of match criteria, like IP address or name server;

  • A list of actions, like allow responses from the listed IP addresses or reject responses from the listed IP addresses; and

  • Policy actions, like sending HTTP requests with an error code or redirecting TCP connections.

--

Setting Up BIND Resolver

BIND Resolver is a recursive DNS server. It can be used to set up response policy zones. Here are the steps for setting up a BIND resolver:

  1. Install bind9, libjansson, and python-requests on your Debian/Ubuntu machine if they are not already installed.

  2. Download the RPZ patch from bzr commit 6c8f4e5

  3. Extract the RPZ patch file with tar -xvzf

--

Using Response Policy Zone

RPZ is a feature that allows you to define policies for mapping a zone to a set of IP addresses and/or a set of name servers. The policy is configured in the response-policy zone module.

The RPZ configuration has two parts: the RPZ rules and the responses. The RPZ rules specify what decision should be executed against different requests based on their IP address or name server. The RPZ responses provide specific actions for each rule.

This post will show how to set up RPZ using BIND9 Resolver in Debian/Ubuntu operating systems.

Installing BIND 9 Resolver

BIND 9 Resolver can be installed using apt-get install bind9 package manager under Debian or Ubuntu operating system.

Enabling Response Policy Zone

To enable response policy zones, add a line below to your named configuration file: rpz yes;

--

Conclusion

With Response Policy Zone (RPZ), you can manage the responses that are returned to your DNS queries. Setting up RPZ for your domain is easy with a few steps.

1. Install the RPZ plugin for BIND Resolver

2. Add the zones for your domain.

3. Add the policy information.

4. Update your BIND configuration

5. Test the setup

6. Configure your DNS server

7. Review and modify RPZ settings