[TUTORIAL] BIND9 DNS RPZ setup

hata_ph · Dec 6, 2019

Currently using DNSBL, reject unknown reverse client and sender and spam filter to detect spam mails and work out not bad.
I have read about RPZ aka DNS firewall and want to try it out using ubuntu and BIND9 as a forwarding DNS server for PMG.

https://www.digitalocean.com/commun...hing-or-forwarding-dns-server-on-ubuntu-16-04

1. First to install bind9

Code:

sudo apt-get install bind9

2. Due to ubuntu 18.04 use systemd-resolved by default, symlink /etc/resolv.conf with systemd-resolved.

Code:

sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf

3. Setup bind9 as a forwarding DNS server only. Edit /etc/bind/named.conf.options.

Code:

acl allow-networks {
        #192.168.40.0/24;
        192.168.40.106;
        localhost;
        #localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { allow-networks; };

        forwarders {
                192.168.41.180;
                192.168.41.181;
        };
        forward only;

        dnssec-enable yes;
        dnssec-validation yes;

        #dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

4. Configure your client to use this as your DNS server. Try nslookup and dig to test the name resolution.
5. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.
6. Point your PMG to use this as your DNS server.

Any domain listed by abuse.ch's RPZ will return NXDOMAIN by your DNS server.

Now what is missing is a weblog UI to view how many NXDOMAIN return by the RPZ. Anyone know any lightweight weblog that work with DNS log?

heutger · Dec 7, 2019

hata_ph said:
Currently using DNSBL, reject unknown reverse client and sender and spam filter to detect spam mails and work out not bad.
I have read about RPZ aka DNS firewall and want to try it out using ubuntu and BIND9 as a forwarding DNS server for PMG.

https://www.digitalocean.com/commun...hing-or-forwarding-dns-server-on-ubuntu-16-04

1. First to install bind9

Code:

sudo apt-get install bind9

2. Due to ubuntu 18.04 use systemd-resolved by default, symlink /etc/resolv.conf with systemd-resolved.

Code:

sudo rm /etc/resolv.conf sudo ln -s /run/systemd/resolve/resolv.conf

3. Setup bind9 as a forwarding DNS server only. Edit /etc/bind/named.conf.options.

Code:

acl allow-networks { #192.168.40.0/24; 192.168.40.106; localhost; #localnets; }; options { directory "/var/cache/bind"; recursion yes; allow-query { allow-networks; }; forwarders { 192.168.41.180; 192.168.41.181; }; forward only; dnssec-enable yes; dnssec-validation yes; #dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; };

4. Configure your client to use this as your DNS server. Try nslookup and dig to test the name resolution.
5. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.
6. Point your PMG to use this as your DNS server.

Any domain listed by abuse.ch's RPZ will return NXDOMAIN by your DNS server.

Now what is missing is a weblog UI to view how many NXDOMAIN return by the RPZ. Anyone know any lightweight weblog that work with DNS log?

How is your success rate? I'm unsure, if most of the spammers are really using infected systems as in the RPZ file. I'm afraid, that solution isn't for anti spam but for users protection in a surfing environment (e.g. at office).

hata_ph · Dec 8, 2019

heutger said:
How is your success rate? I'm unsure, if most of the spammers are really using infected systems as in the RPZ file. I'm afraid, that solution isn't for anti spam but for users protection in a surfing environment (e.g. at office).

The RPZ work as best as the rpz files that you are using, in this case I am using abuse.ch's RPZ. You may subscibe to paid RPZ service that could have better detect rate.
If your current DNSBL and anti-spam work fine I dun think you need to use RPZ. But then there is no harm to have double protection either.
Further more, DNS firewalling help to reduce your mail server or gateway's load too.

heutger · Dec 18, 2019

hata_ph said:
The RPZ work as best as the rpz files that you are using, in this case I am using abuse.ch's RPZ. You may subscibe to paid RPZ service that could have better detect rate.
If your current DNSBL and anti-spam work fine I dun think you need to use RPZ. But then there is no harm to have double protection either.
Further more, DNS firewalling help to reduce your mail server or gateway's load too.

Thanks for your feedback. Does this also work with unbound?

hata_ph · Dec 18, 2019

heutger said:
Thanks for your feedback. Does this also work with unbound?

Dun think unbound work out of the box with RPZ format. You might want to check out fastrpz paid add-on or 3rd party custom blacklist zone file.

https://octolinker-demo.now.sh/oznu/dns-zone-blacklist
https://xn--ew8hgl.ws/osint-and-unbound.html

guletz · Dec 18, 2019

hata_ph said:
. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.

I am using rpz file from abuse.ch for at least 2 years if I remember. In my case I do not seen many improvements on the mail server. But maybe for others it can be useful.

Good luck!

hata_ph · Dec 19, 2019

At least it an alternative way to protect or enhance your internet security.

Search

Search

[TUTORIAL] BIND9 DNS RPZ setup

hata_ph

Well-Known Member

heutger

Famous Member

hata_ph

Well-Known Member

heutger

Famous Member

hata_ph

Well-Known Member

guletz

Famous Member

hata_ph

Well-Known Member