Question about BIND and RPZ

Discussion:

Felipe Arturo Polanco

2018-08-04 13:52:51 UTC

Hi,

I have a question regarding BIND and its RPZ functionality.

We are using a DNS provider that blocks malware by returning an NXDOMAIN
response back whenever a match is found.

The way they differentiate between real non-existent websites vs malware
sites is by turning off the 'recursion available' bit in the NXDOMAIN
response, non-existent sites do have this bit turned on.

Is there a way to match this flag in an RPZ policy to redirect malware
sites response to a wall garden website while not matching real
non-existent websites?

Thanks,

Vadim Pavlov via bind-users

2018-08-04 16:27:29 UTC

Permalink

Hi Felipe,

You do need to do that. You may configure redirect action on a zone level. Just add "policy cname domain"

[ response-policy {
zone zone_name
[ policy ( given | disabled | passthru | drop |
tcp-only | nxdomain | nodata | cname domain ) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ] ;
...
}

E.g.
response-policy {zone "badlist" cname www.wgarden.com;};

BR,
Vadim

Post by Felipe Arturo Polanco
Hi,
I have a question regarding BIND and its RPZ functionality.
We are using a DNS provider that blocks malware by returning an NXDOMAIN response back whenever a match is found.
The way they differentiate between real non-existent websites vs malware sites is by turning off the 'recursion available' bit in the NXDOMAIN response, non-existent sites do have this bit turned on.
Is there a way to match this flag in an RPZ policy to redirect malware sites response to a wall garden website while not matching real non-existent websites?
Thanks,
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Felipe Arturo Polanco

2018-08-04 16:42:29 UTC

Permalink

Hi Vadim,

Thanks for the response,

How will that zone policy differentiate between responses with the
'recursion available' bit set and unset?

I do not have the list of malware sites, the DNS provider does not share
it.

Also I'm no expert with BIND so pardon any outside question.

Post by Vadim Pavlov via bind-users
Hi Felipe,
You do need to do that. You may configure redirect action on a zone level.
Just add "policy cname domain"
[ *response-policy {*
*zone* *zone_name*
[ *policy* ( given | disabled | passthru | drop |
tcp-only | nxdomain | nodata | cname *domain* ) ]
[ *recursive-only* *yes_or_no* ]
[ *max-policy-ttl* *number* ] ;
...
*}*
E.g.
response-policy {zone "badlist" cname www.wgarden.com;};
BR,
Vadim
Hi,
I have a question regarding BIND and its RPZ functionality.
We are using a DNS provider that blocks malware by returning an NXDOMAIN
response back whenever a match is found.
The way they differentiate between real non-existent websites vs malware
sites is by turning off the 'recursion available' bit in the NXDOMAIN
response, non-existent sites do have this bit turned on.
Is there a way to match this flag in an RPZ policy to redirect malware
sites response to a wall garden website while not matching real
non-existent websites?
Thanks,
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Vadim Pavlov via bind-users

2018-08-04 17:19:36 UTC

Permalink

Sorry for confusion. I thought that you have access to the RPZ feeds. You can not trigger an RPZ rule by the recursion bit.
You should contact to your DNS provider and ask them instead of NXDOMAIN provide you a different response which you can be used to trigger RPZ on your Bind (e.g. unused IP) or even better just send you a redirect to WG page.

Vadim

Post by Felipe Arturo Polanco
Hi Vadim,
Thanks for the response,
How will that zone policy differentiate between responses with the 'recursion available' bit set and unset?
I do not have the list of malware sites, the DNS provider does not share it.
Also I'm no expert with BIND so pardon any outside question.
Hi Felipe,
You do need to do that. You may configure redirect action on a zone level. Just add "policy cname domain"
[ response-policy {
zone zone_name
[ policy ( given | disabled | passthru | drop |
tcp-only | nxdomain | nodata | cname domain ) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ] ;
...
}
E.g.
response-policy {zone "badlist" cname www.wgarden.com <http://www.wgarden.com/>;};
BR,
Vadim

Post by Felipe Arturo Polanco
Hi,
I have a question regarding BIND and its RPZ functionality.
We are using a DNS provider that blocks malware by returning an NXDOMAIN response back whenever a match is found.
The way they differentiate between real non-existent websites vs malware sites is by turning off the 'recursion available' bit in the NXDOMAIN response, non-existent sites do have this bit turned on.
Is there a way to match this flag in an RPZ policy to redirect malware sites response to a wall garden website while not matching real non-existent websites?
Thanks,
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>

Blason R

2018-08-05 04:21:34 UTC

Permalink

Well I was working on the same but you really need to have good RPZ feeds.
I subscribed to third party feeds and have worked on my RPZ but later you
need to have good reporting engine. Hence better to have a dedicated RPZ
server instead and that's what I could suggest.

This is not marketing talk but I know vendor that I am working with who is
offering a good product instead.

Best Regards,
Lionel F

On Sat, Aug 4, 2018 at 7:23 PM Felipe Arturo Polanco <

Post by Felipe Arturo Polanco
Hi,
I have a question regarding BIND and its RPZ functionality.
We are using a DNS provider that blocks malware by returning an NXDOMAIN
response back whenever a match is found.
The way they differentiate between real non-existent websites vs malware
sites is by turning off the 'recursion available' bit in the NXDOMAIN
response, non-existent sites do have this bit turned on.
Is there a way to match this flag in an RPZ policy to redirect malware
sites response to a wall garden website while not matching real
non-existent websites?
Thanks,
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users