rpz secret society woes in bind on debian

Sisyphus is still a role model

So i wanted a dns firewall, (my blog) i did not want to pay or use a blocklist nameserver so it was time to do it yourself.  So our dns nameserver got upgraded eventually and i had a go.

rpz’s supposedly made this easy with all bad sites in one file opposed the many files per site.tld [per xone in rbldns and slow]- although rpz usage is hard to track down.   My first attempt was met with

ignoring out-of-zone data (citricbenz. website)

Apparently should be made with

citricbenz. website. in cname .

Citrixbenz is a zeus trojan server* when i wrote this and still might be and the only entry in my zone

However it dont work until you assign a policy and they have bizarre syntax. Something kind of does and does not work

changed from 2 to 1 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries

So something is working.

The next day was interesting as i used the chrome browser which passed along my attempts to access the named example – i had to assure cbl that i was not zeus infected as i use cbl on the zoos website (my blog) .  Moral of the tale do not use google software things to try out security stuff.

Having fixed that issue on our internal router i had a bit more luck and got a working rpz zone by blocking yahoo.com as that s safer to test with and my attempts to display a redirected website message ended in failure although nxdomain works.

I still seem to be resolving the real ip rather than lookup to the zone i created. which means i am close and i achieved interception of the request with

zone "internal.zoo" policy passthru;
zone "rpz.zoo" policy cname compromised.zoo;

the cname compromised.zoo redirects the bad site request ** to compromised.zoo. – .zoo being our domain name/tld and compromised being the zone name. It tells a user that something is wrong

Logging is important here.

Order matters here [precedent] the passthru is first, and the more restrictive.  note the lack of semi colons and quote statements which feels a bit odd when option { x; y; z }; is the normal syntax bind knows and parses and most of us expect.

Your webbroswer is faster than our dns rpz.and has the same data

So a race condition can develop.,If you have infected things the rpz will do more than just the browser blocklist your browser uses. although the log will detect the rpz hit.

client internal.zoo.lan#16983 (windrushvalleyjoinery.co.uk): rpz QNAME DROP rewrite windrushvalleyjoinery.co.uk via windrushvalleyjoinery.co.uk.malware.zoo

This stuff is quite hard to figure out

As to who’s fault this is after all the zoo clearly should be paying some security firm for this by the three and half dns professionals on the internet who guard this knowledge like a secret, or is out of date

Stats are interesting bind reported

[malware.zoo]
                   7 response policy zone rewrites

So not informative – that seems a good place to end.

I might do a further post on how i make zones but being honest the zoo appears to be immune from visiting dodgy sites as either the browser stops it and so while the zones exist they do not trigger for lack of a match.

One response

  1. Pingback: international android phone ‘fun’ | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.