[TUTORIAL] BIND9 DNS RPZ setup

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
Currently using DNSBL, reject unknown reverse client and sender and spam filter to detect spam mails and work out not bad.
I have read about RPZ aka DNS firewall and want to try it out using ubuntu and BIND9 as a forwarding DNS server for PMG.

https://www.digitalocean.com/commun...hing-or-forwarding-dns-server-on-ubuntu-16-04

1. First to install bind9
Code:
sudo apt-get install bind9

2. Due to ubuntu 18.04 use systemd-resolved by default, symlink /etc/resolv.conf with systemd-resolved.
Code:
sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf

3. Setup bind9 as a forwarding DNS server only. Edit /etc/bind/named.conf.options.
Code:
acl allow-networks {
        #192.168.40.0/24;
        192.168.40.106;
        localhost;
        #localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { allow-networks; };

        forwarders {
                192.168.41.180;
                192.168.41.181;
        };
        forward only;

        dnssec-enable yes;
        dnssec-validation yes;

        #dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

4. Configure your client to use this as your DNS server. Try nslookup and dig to test the name resolution.
5. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.
6. Point your PMG to use this as your DNS server.

Any domain listed by abuse.ch's RPZ will return NXDOMAIN by your DNS server.

Now what is missing is a weblog UI to view how many NXDOMAIN return by the RPZ. Anyone know any lightweight weblog that work with DNS log?
 

heutger

Well-Known Member
Apr 25, 2018
845
238
48
Fulda, Hessen, Germany
www.heutger.net
Currently using DNSBL, reject unknown reverse client and sender and spam filter to detect spam mails and work out not bad.
I have read about RPZ aka DNS firewall and want to try it out using ubuntu and BIND9 as a forwarding DNS server for PMG.

https://www.digitalocean.com/commun...hing-or-forwarding-dns-server-on-ubuntu-16-04

1. First to install bind9
Code:
sudo apt-get install bind9

2. Due to ubuntu 18.04 use systemd-resolved by default, symlink /etc/resolv.conf with systemd-resolved.
Code:
sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf

3. Setup bind9 as a forwarding DNS server only. Edit /etc/bind/named.conf.options.
Code:
acl allow-networks {
        #192.168.40.0/24;
        192.168.40.106;
        localhost;
        #localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { allow-networks; };

        forwarders {
                192.168.41.180;
                192.168.41.181;
        };
        forward only;

        dnssec-enable yes;
        dnssec-validation yes;

        #dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

4. Configure your client to use this as your DNS server. Try nslookup and dig to test the name resolution.
5. I am using abuse.ch for the RPZ file. Just follow the guide https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ to configure the RPZ.
6. Point your PMG to use this as your DNS server.

Any domain listed by abuse.ch's RPZ will return NXDOMAIN by your DNS server.

Now what is missing is a weblog UI to view how many NXDOMAIN return by the RPZ. Anyone know any lightweight weblog that work with DNS log?

How is your success rate? I'm unsure, if most of the spammers are really using infected systems as in the RPZ file. I'm afraid, that solution isn't for anti spam but for users protection in a surfing environment (e.g. at office).
 

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
How is your success rate? I'm unsure, if most of the spammers are really using infected systems as in the RPZ file. I'm afraid, that solution isn't for anti spam but for users protection in a surfing environment (e.g. at office).

The RPZ work as best as the rpz files that you are using, in this case I am using abuse.ch's RPZ. You may subscibe to paid RPZ service that could have better detect rate.
If your current DNSBL and anti-spam work fine I dun think you need to use RPZ. But then there is no harm to have double protection either.
Further more, DNS firewalling help to reduce your mail server or gateway's load too.
 

heutger

Well-Known Member
Apr 25, 2018
845
238
48
Fulda, Hessen, Germany
www.heutger.net
The RPZ work as best as the rpz files that you are using, in this case I am using abuse.ch's RPZ. You may subscibe to paid RPZ service that could have better detect rate.
If your current DNSBL and anti-spam work fine I dun think you need to use RPZ. But then there is no harm to have double protection either.
Further more, DNS firewalling help to reduce your mail server or gateway's load too.

Thanks for your feedback. Does this also work with unbound?
 

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
At least it an alternative way to protect or enhance your internet security.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!