Hello Mohammed,

You can use RPZ (Response Policy Zone). The following link should give
you a good introduction on how to set this up:

Building DNS Firewalls with Response Policy Zones (RPZ)
https://kb.isc.org/docs/aa-00525

Daniel

Hi,
$RPZ++

If you can't use RPZ, then you /can/ create skeleton zones to make your
server authoritative for the zones in question. However, there are
drawbacks to this regarding performance based on the number and size of
all the additional zones.

I would strongly recommend RPZ, or the new Response Policy Service,
which there are a few commercial implementations of. RPS is for DNS
what milters are for mail servers.

RPZ is a ""static list.
RPS is an active / dynamic service.

Note: Response Policy Zones can be updated via normal dynamic DNS methods.

Hello all,



Thanks for every one's contribution. I use RPZ and listed 5000 forged
domain to block it in a particular zone without having addiotnal zones, I
hope that's the feature of RPZ, Seems good.



Below is snippet for your review for the zone and file db.rpz.local which
was copied from the default named.empty.



zone "rpz.local" {

type master;

file "db.rpz.local";

allow-query { localhost; };

};













Once this configuration done I am expecting that whoever quarried to our
name server for a zone which Is listed in my dns server should not allow
users to fetch any records as recursive from outside servers, it should
server from the internal servers only?



When I test my configuration with one of the hosted domain in my list i.e
doubleclick.net, I got all the results rather than throwing an error. please
correct if I am wrong..













Here are the logs.



[***@ns20 ~]# tailf /var/log/named/rpz.log

14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME
NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local

14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz QNAME
NXDOMAIN rewrite securepubads.g.doubleclick.net via
securepubads.g.doubleclick.net.rpz.local

14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME
NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local

14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz QNAME
NXDOMAIN rewrite stats.g.doubleclick.net via
stats.g.doubleclick.net.rpz.local

c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz QNAME
NXDOMAIN rewrite stats.l.doubleclick.net via
stats.l.doubleclick.net.rpz.local

14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz QNAME
NXDOMAIN rewrite pagead.l.doubleclick.net via
pagead.l.doubleclick.net.rpz.local

14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz QNAME
NXDOMAIN rewrite googleads.g.doubleclick.net via
googleads.g.doubleclick.net.rpz.local







-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of
Grant Taylor via bind-users
Sent: Monday, July 13, 2020 10:45 PM
To: bind-***@lists.isc.org
Subject: Re: scripts-to-block-domains
Hi,
$RPZ++



If you can't use RPZ, then you /can/ create skeleton zones to make your
server authoritative for the zones in question. However, there are
drawbacks to this regarding performance based on the number and size of all
the additional zones.



I would strongly recommend RPZ, or the new Response Policy Service, which
there are a few commercial implementations of. RPS is for DNS what milters
are for mail servers.



RPZ is a ""static list.

RPS is an active / dynamic service.



Note: Response Policy Zones can be updated via normal dynamic DNS methods.







--

Grant. . . .

unix || die

Hello Mohammed,

I don't see that you specified a "response-policy" [1] statement. You
need something like this as well:

response-policy {
zone "rpz.local" policy given;
}
// Apply RPZ policy to DNSSEC signed zones
break-dnssec yes
;

[1]
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-policy-zone-rpz-rewriting

Daniel

Thanks for your quick response,



I did that here is the statement in option section.











-----Original Message-----
From: Daniel Stirnimann [mailto:***@switch.ch]
Sent: Tuesday, July 14, 2020 9:25 AM
To: MEjaz <***@cyberia.net.sa>; bind-***@lists.isc.org
Subject: Re: scripts-to-block-domains



Hello Mohammed,



I don't see that you specified a "response-policy" [1] statement. You need
something like this as well:



response-policy {

zone "rpz.local" policy given;

}

// Apply RPZ policy to DNSSEC signed zones break-dnssec yes ;



[1]


<https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response
-policy-zone-rpz-rewriting>
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-
policy-zone-rpz-rewriting



Daniel

Please do not post images. Copy and paste the text.

(Over 100 lines of quoted lines with no content deleted)

Ok, I will take care next time will

-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of
@lbutlr
Sent: Tuesday, July 14, 2020 10:28 AM
To: bind-users <bind-***@lists.isc.org>
Subject: Re: scripts-to-block-domains
Please do not post images. Copy and paste the text.

(Over 100 lines of quoted lines with no content deleted)
--
I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

You might want to look through those domains and see if there are any
name servers that stick out significantly more than others.

Presuming that there are some believed to be bad name servers, you can
also use RPZ to filter traffic to said name servers carte blanch, even
if the names aren't listed in the RPZ, yet. ;-)