Hi All, I am building DNS RPZ and I am complete no-vice. I will be having around 10-20k zones which my DNS will be wallgardening.
Just wondering how this can be done with DNZ RPZ? Since the zones has to be included in named.conf. Plus I am practising DNZ RPZ on my test server and its failing. Can someone please guide? Am I making any mistake here? options { listen-on port 53 { 127.0.0.1; any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.5.0/24;}; response-policy { zone "google.com"; }; zone "google.com" IN { type master; file "rpz.file.db"; }; ***************************************** [r...@dnzrpz.isn.in /var/named]# more rpz.file.db $TTL 1D @ IN SOA ns1.google.com. root.google.com. ( 2 ; 1D ; 1H ; 1W ; 3H ) ; @ IN NS ns1.google.com. @ IN A 3.3.3.3 google.com IN CNAME @ www.google.com IN CNAME @ ******************************** [r...@dnzrpz.isn.in /var/named]# systemctl status named.service -l ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2018-04-17 08:50:55 IST; 31s ago Process: 937 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE) *Apr 17 08:50:55 dnzrpz.isn.in <http://dnzrpz.isn.in> bash[937]: _default/google.com/IN <http://google.com/IN>: bad zone* Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost.localdomain/IN: loaded serial 0 Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone localhost/IN: loaded serial 0 Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Apr 17 08:50:55 dnzrpz.isn.in bash[937]: zone 0.in-addr.arpa/IN: loaded serial 0 Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service: control process exited, code=exited status=1 Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: Unit named.service entered failed state. Apr 17 08:50:55 dnzrpz.isn.in systemd[1]: named.service failed. [r...@dnzrpz.isn.in /var/named]#
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users