I wanted to take my existing internal DNS Bind servers and add some RPZ security. Previously I had split DNS with my internal view set to forward 3 specific domains to my offices internal DNS servers.
zone "company.tld" IN {
type forward;
forward only;
forwarders {
10.10.161.1;
10.11.161.1;
};
Which worked great. Once I added RPZ after signing up with a transfer provider:
response-policy {
zone "oisd-full.ioc2rpz" policy nxdomain;
}
qname-wait-recurse no break-dnssec yes;
I can see my RPZ working great, but my forwarded zone is being caught in the RPZ. (Yeah, one of many companies I have worked for that inadvertently used an internal TLD that is now on someone's naughty list).
I tried making this domain a whitelist, but bind requires that my zone definition be a MASTER or SLAVE type, not a forward.
I am not finding a good example of anyone that has got both features to work.. IE: Allow Bind to either look at all it's local zones first, before RPZ, or tag a whitelist so that it still looks at it's view configuration for answers if it is marked passthru.
Ideas?
Asked by Nick Ellson
(11 rep)
Jan 3, 2022, 05:56 PM
Last activity: Jan 5, 2022, 01:04 PM
Last activity: Jan 5, 2022, 01:04 PM