0

I wanted to take my existing internal DNS Bind servers and add some RPZ security. Previously I had split DNS with my internal view set to forward 3 specific domains to my offices internal DNS servers.

 zone "company.tld" IN { type forward; forward only; forwarders { 10.10.161.1; 10.11.161.1; };

Which worked great. Once I added RPZ after signing up with a transfer provider:

 response-policy { zone "oisd-full.ioc2rpz" policy nxdomain; } qname-wait-recurse no break-dnssec yes;

I can see my RPZ working great, but my forwarded zone is being caught in the RPZ. (Yeah, one of many companies I have worked for that inadvertently used an internal TLD that is now on someone's naughty list).

I tried making this domain a whitelist, but bind requires that my zone definition be a MASTER or SLAVE type, not a forward.

I am not finding a good example of anyone that has got both features to work.. IE: Allow Bind to either look at all it's local zones first, before RPZ, or tag a whitelist so that it still looks at it's view configuration for answers if it is marked passthru.

Ideas?

Improve this question

1 Answer 1

Reset to default
1

While debugging more (enabling lot's of logs) I got to the root of the issue. When I updated Bind9 to support RPZ, I did not realize I had enabled DNSSEC and my forwarder was failing trust chain (as it has none). I globally disabled DNSSEC deliberately and my RPZ whitelist with my company AD Domain in my whitelist zone as PASSTHRU now works.

Now I am off to learn DNSSEC so I can better understand it, and shutting of my query logging before my disk fills up.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.