Configure BIND as Forwarder only (no root hints), encrypted + RPZ blacklist / whitelist all together

*My setup is getting more complex, generally I tend to divide things in pieces and assemble them together by myself. But it seems this time I need more help to get the whole gears working together. That's why I was requested by user @Rui F Ribeiro to ask this one as a separate question.* --- What I'm trying to achieve? Basically what I found called on the internet as DNS Firewall. I need a BIND server configured with this features: - It want it to being able to FORWARD by default all the requests to an external DNS (in my case OpenDNS: 208.67.222.222, 208.67.220.220) - It must NOT for and for any case query the ROOT-SERVERS, because OpenDNS have some useful function of domain blocking/manipulating. So, if my bind server starts to ask things to OpenDNS and Root Servers randomly I will have different results each time. **(note: this forward must be done in encrypt mode for various reasons, including not getting intercepted and further manipulated by other servers in between)** - The bind server also has to serve as cache, it's ok send the queries to OpenDNS but if I have already fresh data is unnecessary to query again and again wasting bandwidth and time. - **Here come my other main request that is making my config even more complex:** I want to setup a RPZ zone with a huge list of domains i don't want them be able to be resolved, basically i want to have them resolving as 127.0.0.1 or another ip/host of my lan that should serve as catch-all http server for ad purpose and so on. How can I achieve a so complex configuration ? There's my config files, I guess something here is not working as necessary, so please help me with the config. --- # named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; # named.conf.options acl "trusted" { 127.0.0.1/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; ::1; }; options { directory "/var/cache/bind"; # bind cache directory recursion yes; # enables resursive queries allow-query { trusted; } ; allow-recursion { trusted; }; # allows recursive queries from "trusted" clients //listen-on { 0.0.0.0; }; # interfaces where to listen allow-transfer { none; }; # disable zone transfers by default // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forward only; forwarders { 208.67.222.222; 208.67.220.220; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; auth-nxdomain no; # conform to RFC1035 #listen-on-v6 { any; }; response-policy { zone "rpz-white" policy PASSTHRU; // my own white list zone "rpz-foreign"; // obtained from producer }; }; zone "rpz-white" { type master; file "/etc/bind/rpz-white.db"; }; zone "rpz-foreign" { type master; file "/etc/bind/rpz-foreign.db"; }; # named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; # named.conf.default-zones // prime the server with knowledge of the root servers //zone "." { // type hint; // file "/etc/bind/db.root"; //}; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };