Bind RPZ no effect with Views

I have a DNS server which has two views, one for internal users and one for external (internet for example). I want to config RPZ so that when internal users request (external recursive queries will be denied anyway) a sample website, they will be redirected to another website (a filter page) showing that access is not allowed to this website. But RPZ is not working, query for bad.com returns its real address. I can't find out the problem. **named.conf.options:** options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; }; response-policy {zone "filter" recursive-only no;}; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== # dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; **named.conf.local:** // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; acl internal {172.17.116/24; 192.168.20/24; 127/8;}; view "internal" { match-clients {internal;}; recursion yes; zone "wsi.org" { type master; file "/etc/bind/internal.zone"; }; zone "filter" { type master; file "/etc/bind/filter.zone"; }; include "/etc/bind/named.conf.default-zones"; }; view "external" { match-clients {any;}; recursion no; zone "wsi.org" { type master; file "/etc/bind/external.zone"; }; zone "filter" { type master; file "/etc/bind/filter2.zone"; }; include "/etc/bind/named.conf.default-zones"; }; **filter.zone:** TTL 604800 @ IN SOA wsi.org. root.wsi.org. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL bad.com A filter.wsi.org bad.net A filter.wsi.org **filter2 zone:** TTL 604800 @ IN SOA wsi.org. root.wsi.org. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL bad.com A filter.wsi.org bad.net CNAME rpz-passthru nslookup shows the real address of bad.net and bad.com always. I was experimenting and that's why there are two zones.