Response Policy Zone (RPZ) and Bind

Published by Matt Clemons on

RPZ Specification: https://kb.isc.org/getAttach/22/AA-00512/rpz.pdf




















When doing lookups on hosts, my nameserver recursively resolves it.  If the response matches what is in the RPZ zone files, the nameserver will send whatever is set back to the client. This is great for low cost malicious activity blocking.  
. for NXDOMAIN
*. For NODATA
Names, IPs for record responses.

You can redirect to a Walled Garden (blackhole or honeypot).

[root@localhost data]# tail -f rpz.log
client 10.1.1.50#45293: rpz QNAME records rewrite malware.com via malware.com.rpz
client 10.1.1.50#34596: rpz QNAME NODATA rewrite milw0rm.com via milw0rm.com.rpz
client 10.1.1.50#47482: rpz QNAME NXDOMAIN rewrite ipwnty0u.com via ipwnty0u.com.rpz
client 10.1.1.50#44068: rpz QNAME records rewrite bad.example.com via bad.example.com.rpz
client 10.1.1.50#38107: rpz QNAME records rewrite files.badguy.net via files.badguy.net.rpz


Here’s my named.conf 
[root@localhost data]# cat /etc/named.conf
//bind options. Simple config
options {
        listen-on port 53 { 10.1.1.51; };
        directory       “/var/named”;
        dump-file       “/var/named/data/cache_dump.db”;
        statistics-file “/var/named/data/named_stats.txt”;
        memstatistics-file “/var/named/data/named_mem_stats.txt”;
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        auth-nxdomain no;
        dnssec-lookaside auto;
        allow-recursion {10.1.1.0/24;};
        forwarders {
                8.8.8.8;
        };
//RPZ config
        response-policy {zone “arpzprovider.net” ; zone “brpzprovider.net“;};
};
        logging {
        channel normal-log {
                file “data/named.log”;
                severity debug;
        };
        channel named-rpz {
                file “data/rpz.log”;
                severity debug;
        };
        category rpz{
        named-rpz;
        };
        category default{
        normal-log;
        };
}; 
key “provider” {
                algorithm hmac-md5;
                secret “asdfasdfasdfasdfasdfasdfasdf”;
};
zone “arpzprovider.net” {
     type slave;
     masters { X.X.X.X key provider; X.X.X.X key provider; };
     file “/var/named/db.arpzprovider.net“;
     check-names ignore;
     notify no;
};
zone “brpzprovider.net” {
     type slave;
     masters { X.X.X.X key provider; X.X.X.X key provider; };             
     file “/var/named/db.brpzprovider.net”;
     check-names ignore;
     notify no;
};
If the zone you are using is from a provider and is pointing to NXDOMAIN or their own walled garden, there are several ways to point to your own.  If you change the zone files, they’ll just get overwritten when the transfer occurs.  So you can just set a policy in named.conf under the response-policy section.

response-policy { zone “arpzprovider.net” policy CNAME “www.subnetzero.net”;  zone “arpzprovider.net” policy CNAME “www.subnetzero.net”;};
 };

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Open ports when you can’t open ports

Accessing resources remotely without cumbersome jumpboxes and dealing with restrictive red tape has been a recurring challenge for many. In this blog post, I will introduce a method to seamlessly extend your Wide Area Network Read more…

Uncategorized

Simple Method to push any PCAP through a Router

Introduction: Have you ever wanted to test how a system reacts, displays information, or handles attacks by pushing a bunch of PCAP (Packet Capture) files through a router or an Intrusion Detection and Prevention System Read more…

Uncategorized

ASM Cheat sheet

Back to basics.  Everything needed to learn ASM is available for free online.  Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language.  Towards the end, you’ll Read more…