How to Block a domain using RPZ on Bind DNS server on CentOS

To Block a domain using RPZ on Bind DNS server on CentOS

Domain Name System or DNS is a service that will resolve the host name for the particular IP address. Response Policy Zones (DNS RPZ) is used for protection against malicious global identifiers like host names, domain names, IP addresses and nameservers. Response Policy Zones (DNS RPZ) prevents accessing certain internet domains and redirecting to other locations.Blocking a domain in DNS server is about redirecting all queries for a particular domain to a loopback or any false IP address by using RPZ. This tutorial explains the configuration procedure of blocking a domain using RPZ in Bind DNS server on CentOS.

Configuration procedure

To proceed with the configuration procedure, install the bind package using yum command and press y to continue with the installation. 

[root@ns1 ~]# yum install bind* -y
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: ftp.iitm.ac.in
 * extras: mirror.ehost.vn
 * updates: ftp.iitm.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package bind.x86_64 32:9.8.2-0.62.rc1.el6_9.4 will be installed
--->  Package bind-chroot.x86_64 32:9.8.2-0.62.rc1.el6_9.4 will be installed
--->  Package bind-devel.x86_64 32:9.8.2-0.62.rc1.el6_9.4 will be installed
--->  Package bind-dyndb-ldap.x86_64 0:2.3-8.el6 will be installed
.
.
.
Installed:
  bind.x86_64 32:9.8.2-0.62.rc1.el6_9.4  bind-chroot.x86_64 32:9.8.2-0.62.rc1.el6_9.4  bind-devel.x86_64 32:9.8.2-0.62.rc1.el6_9.4  bind-dyndb-ldap.x86_64 0:2.3-8.el6  bind-sdb.x86_64 32:9.8.2-0.62.rc1.el6_9.4

Dependency Installed:
  postgresql-libs.x86_64 0:8.4.20-7.el6                                                                                                                                                                           
Updated:
  bind-libs.x86_64 32:9.8.2-0.62.rc1.el6_9.4                                                              bind-utils.x86_64 32:9.8.2-0.62.rc1.el6_9.4                                                             

Complete!

Edit the named.conf configuration file using vim editor and enter the following contents in the file. Save and exit the file. 

[root@ns1 ~]# vim /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1  192.168.7.222  } 
        listen-on-v6 port 53 { ::1  } 
        directory       " /var/named"  
        dump-file       " /var/named/data/cache_dump.db"  
        statistics-file " /var/named/data/named_stats.txt"  
        memstatistics-file " /var/named/data/named_mem_stats.txt"  
        allow-query     { localhost  } 
        recursion yes 
        dnssec-enable yes 
        dnssec-validation yes 

        /* Path to ISC DLV key */
        bindkeys-file " /etc/named.iscdlv.key"  
        managed-keys-directory " /var/named/dynamic"  
} 

logging {
        channel default_debug {
                file " data/named.run"  
                severity dynamic 
        } 
} 
zone " ."  IN {
        type hint 
        file " named.ca"  
} 

include " /etc/named.rfc1912.zones"  
include " /etc/named.root.key"

Add your IP address as shown in above configuration and start and enable named service by running the following set of commands. 

[root@ns1 ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
[root@ns1 ~]# chkconfig named on

Edit the resolving DNS server IP on your network configuration file using vim editor and make the following changes. Save and exit the file. 

[root@ns1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
UUID=36a6e616-74e3-4df5-ad16-ca3b691bc2d8
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:F2:17:C6
IPADDR=192.168.7.222
PREFIX=24
GATEWAY=192.168.7.1
DNS1=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=" System eth0"

Now restart the network service. 

[root@ns1 ~]# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Active connection state: activated
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/2
                                                           [  OK  ]

To block a domain using DNS RPZ method, open named.conf configuration and create a zone as like shown below. 

[root@ns1 ~]# vim /etc/named.conf
response-policy { zone " ns1.example.com"   } 
zone " ns1.example.com"  IN {
type master 
file " rpz.db"  
}

Next create a forward zone file as we mentioned in named.conf configuration named rpz.db and enter the following details in the file. Save and exit the file. 

[root@ns1 ~]# vim /var/named/rpz.db

$TTL 1D
@       IN SOA ns1.example.com. root.example.com. (
                                        0         serial
                                        1D        refresh
                                        1H        retry
                                        1W        expire
                                        3H )      minimum
@ IN NS ns1.example.com.
@ IN A 192.168.7.222

youtube.com IN CNAME @
www.youtube.com IN CNAME @

Restart the named service. 

[root@ns1 ~]# service named restart
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]

Check nslookup of the site that has been blocked by executing the following command. 

[root@ns1 ~]# nslookup youtube.com
Server: 192.168.7.222
Address: 192.168.7.222#53

Non-authoritative answer:
youtube.com canonical name = ns1.example.com.
Name: ns1.example.com
Address: 192.168.7.222

To check in the browser, type the blocked domain name in the browser and try to access it. The domain will remain blocked as per the configuration.

Thus the configuration procedure of Blocking a domain using RPZ on Bind DNS server on CentOS is done without any glitches.

Tag : CentOS Bind rpz (Response Policy Zone) domain DNS
FAQ
Q
where to edit the configuration file for DNS in centos?
A
Edit the named.conf configuration file using vim editor and enter the following contents in the file. Save and exit the file.
# vim /etc/named.conf
Q
what is the purpose of Block a domain using RPZ on Bind DNS server in centos?
A
Domain Name System or DNS is a service that will resolve the host name for the particular IP address. Response Policy Zones (DNS RPZ) is used for protection against malicious global identifiers like host names, domain names, IP addresses and nameservers. Response Policy Zones (DNS RPZ) prevents accessing certain internet domains and redirecting to other locations.Blocking a domain in DNS server is about redirecting all queries for a particular domain to a loopback or any false IP address by using RPZ.
Q
what is the package to be install DNS configuration in centos?
A
use the below command to install the package of DNS
# yum install bind* -y
Q
how to add a white list using RPZ?
A
use the below link to add a white list using RPZ
"https://topranks.github.io/2017/05/13/DNS-Whitelist-in-BIND-with-RPZ.html"
Q
what is DNS RPZ?
A
Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to