Re: scripts-to-block-domains
On 7/14/20 12:08 AM, MEjaz wrote: Thanks for every one’s contribution. I use RPZ and listed 5000 forged domain to block it in a particular zone without having addiotnal zones, I hope that’s the feature of RPZ, Seems good. You might want to look through those domains and see if there are any name servers that stick out significantly more than others. Presuming that there are some believed to be bad name servers, you can also use RPZ to filter traffic to said name servers carte blanch, even if the names aren't listed in the RPZ, yet. ;-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: scripts-to-block-domains
Ok, I will take care next time will -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of @lbutlr Sent: Tuesday, July 14, 2020 10:28 AM To: bind-users Subject: Re: scripts-to-block-domains On 14 Jul 2020, at 00:31, MEjaz wrote: > Please do not post images. Copy and paste the text. (Over 100 lines of quoted lines with no content deleted) -- I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: scripts-to-block-domains
On 14 Jul 2020, at 00:31, MEjaz wrote: > Please do not post images. Copy and paste the text. (Over 100 lines of quoted lines with no content deleted) -- I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: scripts-to-block-domains
Thanks for your quick response, I did that here is the statement in option section. -Original Message- From: Daniel Stirnimann [mailto:daniel.stirnim...@switch.ch] Sent: Tuesday, July 14, 2020 9:25 AM To: MEjaz ; bind-users@lists.isc.org Subject: Re: scripts-to-block-domains Hello Mohammed, I don't see that you specified a "response-policy" [1] statement. You need something like this as well: response-policy { zone "rpz.local" policy given; } // Apply RPZ policy to DNSSEC signed zones break-dnssec yes ; [1] <https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response -policy-zone-rpz-rewriting> https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response- policy-zone-rpz-rewriting Daniel On 14.07.20 08:08, MEjaz wrote: > Hello all, > > > > Thanks for every one's contribution. I use RPZ and listed 5000 > forged domain to block it in a particular zone without having > addiotnal zones, I hope that's the feature of RPZ, Seems good. > > > > Below is snippet for your review for the zone and file db.rpz.local > which was copied from the default named.empty. > > > > zone "rpz.local" { > > type master; > > file "db.rpz.local"; > > allow-query { localhost; }; > > }; > > > > > > > > > > > > Once this configuration done I am expecting that whoever quarried to > our name server for a zone which Is listed in my dns server should not > allow users to fetch any records as recursive from outside servers, it > should server from the internal servers only? > > > > When I test my configuration with one of the hosted domain in my list > i.e doubleclick.net, I got all the results rather than throwing an > error. please correct if I am wrong.. > > > > > > > > > > > > Here are the logs. > > > > [root@ns20 ~]# tailf /var/log/named/rpz.log > > 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz > QNAME NXDOMAIN rewrite test.doubleclick.net via > test.doubleclick.net.rpz.local > > 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz > QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via > securepubads.g.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz > QNAME NXDOMAIN rewrite mail.doubleclick.net via > mail.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz > QNAME NXDOMAIN rewrite stats.g.doubleclick.net via > stats.g.doubleclick.net.rpz.local > > c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz > QNAME NXDOMAIN rewrite stats.l.doubleclick.net via > stats.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz > QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via > pagead.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz > QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via > googleads.g.doubleclick.net.rpz.local ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: scripts-to-block-domains
Hello Mohammed, I don't see that you specified a "response-policy" [1] statement. You need something like this as well: response-policy { zone "rpz.local" policy given; } // Apply RPZ policy to DNSSEC signed zones break-dnssec yes ; [1] https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-policy-zone-rpz-rewriting Daniel On 14.07.20 08:08, MEjaz wrote: > Hello all, > > > > Thanks for every one’s contribution. I use RPZ and listed 5000 forged > domain to block it in a particular zone without having addiotnal > zones, I hope that’s the feature of RPZ, Seems good. > > > > Below is snippet for your review for the zone and file db.rpz.local > which was copied from the default named.empty. > > > > zone "rpz.local" { > > type master; > > file "db.rpz.local"; > > allow-query { localhost; }; > > }; > > > > > > > > > > > > Once this configuration done I am expecting that whoever quarried to our > name server for a zone which Is listed in my dns server should not allow > users to fetch any records as recursive from outside servers, it should > server from the internal servers only? > > > > When I test my configuration with one of the hosted domain in my list > i.e doubleclick.net, I got all the results rather than throwing an > error. please correct if I am wrong.. > > > > > > > > > > > > Here are the logs. > > > > [root@ns20 ~]# tailf /var/log/named/rpz.log > > 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME > NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local > > 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz > QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via > securepubads.g.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME > NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local > > 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz > QNAME NXDOMAIN rewrite stats.g.doubleclick.net via > stats.g.doubleclick.net.rpz.local > > c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz > QNAME NXDOMAIN rewrite stats.l.doubleclick.net via > stats.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz > QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via > pagead.l.doubleclick.net.rpz.local > > 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz > QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via > googleads.g.doubleclick.net.rpz.local ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: scripts-to-block-domains
Hello all, Thanks for every one's contribution. I use RPZ and listed 5000 forged domain to block it in a particular zone without having addiotnal zones, I hope that's the feature of RPZ, Seems good. Below is snippet for your review for the zone and file db.rpz.local which was copied from the default named.empty. zone "rpz.local" { type master; file "db.rpz.local"; allow-query { localhost; }; }; Once this configuration done I am expecting that whoever quarried to our name server for a zone which Is listed in my dns server should not allow users to fetch any records as recursive from outside servers, it should server from the internal servers only? When I test my configuration with one of the hosted domain in my list i.e doubleclick.net, I got all the results rather than throwing an error. please correct if I am wrong.. Here are the logs. [root@ns20 ~]# tailf /var/log/named/rpz.log 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via securepubads.g.doubleclick.net.rpz.local 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz QNAME NXDOMAIN rewrite stats.g.doubleclick.net via stats.g.doubleclick.net.rpz.local c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz QNAME NXDOMAIN rewrite stats.l.doubleclick.net via stats.l.doubleclick.net.rpz.local 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via pagead.l.doubleclick.net.rpz.local 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via googleads.g.doubleclick.net.rpz.local -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Grant Taylor via bind-users Sent: Monday, July 13, 2020 10:45 PM To: bind-users@lists.isc.org Subject: Re: scripts-to-block-domains On 7/13/20 12:44 AM, MEjaz wrote: > Hell all, Hi, > I have an requirement from our national Cyber security to block > several thousand forged domains from our recursive servers, Is there > any way we can add clause in named.conf to scan such bogus domain list > without impacting the performance of the servers. $RPZ++ If you can't use RPZ, then you /can/ create skeleton zones to make your server authoritative for the zones in question. However, there are drawbacks to this regarding performance based on the number and size of all the additional zones. I would strongly recommend RPZ, or the new Response Policy Service, which there are a few commercial implementations of. RPS is for DNS what milters are for mail servers. RPZ is a ""static list. RPS is an active / dynamic service. Note: Response Policy Zones can be updated via normal dynamic DNS methods. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: scripts-to-block-domains
On 7/13/20 12:44 AM, MEjaz wrote: Hell all, Hi, I have an requirement from our national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we can add clause in named.conf to scan such bogus domain list without impacting the performance of the servers. $RPZ++ If you can't use RPZ, then you /can/ create skeleton zones to make your server authoritative for the zones in question. However, there are drawbacks to this regarding performance based on the number and size of all the additional zones. I would strongly recommend RPZ, or the new Response Policy Service, which there are a few commercial implementations of. RPS is for DNS what milters are for mail servers. RPZ is a ""static list. RPS is an active / dynamic service. Note: Response Policy Zones can be updated via normal dynamic DNS methods. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: scripts-to-block-domains
Hello Mohammed, You can use RPZ (Response Policy Zone). The following link should give you a good introduction on how to set this up: Building DNS Firewalls with Response Policy Zones (RPZ) https://kb.isc.org/docs/aa-00525 Daniel On 13.07.20 08:44, MEjaz wrote: > Hell all, > > > > > > I have an requirement from our national Cyber security to block several > thousand forged domains from our recursive servers, Is there any way we > can add clause in named.conf to scan such bogus domain list without > impacting the performance of the servers. > > > > Thanks in advance.. for the usual contribution. > > > > > > Thanks, > > Mohammed Ejaz > > Asst. Operation Director of Systems. > > Cyberia SAUDI ARABIA > > P.O.Box: 301079, Riyadh 11372 > > Phone: (+966) 11 464 7114 Ext. 140 > > Mobile: (+966) 562311787 > > Fax: (+966) 11 465 4735 > > Website: http://www.cyberia.net.sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
scripts-to-block-domains
Hell all, I have an requirement from our national Cyber security to block several thousand forged domains from our recursive servers, Is there any way we can add clause in named.conf to scan such bogus domain list without impacting the performance of the servers. Thanks in advance.. for the usual contribution. Thanks, Mohammed Ejaz Asst. Operation Director of Systems. Cyberia SAUDI ARABIA P.O.Box: 301079, Riyadh 11372 Phone: (+966) 11 464 7114 Ext. 140 Mobile: (+966) 562311787 Fax: (+966) 11 465 4735 Website: http://www.cyberia.net.sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users