On Tue, Nov 19, 2019 at 05:12:09AM +0000, Md. abdullah Al naser via dns-wg
wrote:
> Hi everyone, I hope you all are fine. I am new in the mailing list and
> looking for an advise. If this mailing-list is not suitable for my below
> query then please pardon me.
> I am stuck in a situation and looking for a solution. My scenario is like
> below.
> I want to block some websites for my all users.
> For example:www.abc.comwww.xyz.cometc
> I did it using Response Policy Zone (RPZ) in BIND. response-policy
> {zone "rpz";};rrset-order { order cyclic; };
> zone "rpz" { type master; allow-query { any; }; file
> "/etc/bind/rpz.db"; }; In my RPZ zone file I created CNAME entries for
> above mentioned FQDNs which have been pointed to discard.websites.com
> www.abc.com IN CNAME discard.websites.com.;www.xyz.com IN CNAME
> discard.websites.com.;
> And later on, in websites.com zone file (which is another fake zone) I
> created an A record for discard.websites.com which has been pointed to
> 192.168.127.127 (a fake IP). discard IN A 192.168.127.127;
> In this way all the dns requests from my all users for above mentioned sites
> are resolved to 192.168.127.127 and the real websites are unreachable.
> (N.B. I am not worry about the situation when users change their DNS IP to
> any open resolver and can access the websites.)
> Everything was going fine. By this time another requirement came into the
> picture. Now I need to block the mentioned websites for some specific users
> (based on source IP).
> So in my RPZ configuration I specified the users source IP block like below.
> zone "rpz" { type master; allow-query { 192.168.10.0/24; }; file
> "/etc/bind/rpz.db"; };
> At this point the dns queries from the specified block 192.168.10.0/24 are
> resolved to my fake ip and all other requests from rest of IP blocks are
> dropped (as expected as per configuration).
> But I want to do like this, the dns queries from 192.168.10.0/24 blocks will
> be matched with RPZ zone and other requests from rest of IPs will bypass the
> RPZ configuration and will match my general "allow-query {any;}" statement
> mentioned in named.conf file.
> Will the logic work as I stated above?? Any comments from the experts will be
> great for me.
> (N.B. I came to know that, resolving different IP based on different source
> can be possible in KNOT DNS, but I would be happy to do it in BIND (if
> possible).
(1) You can implement custom configurations for different subnets using
views in BIND. Read about views and match-clients if you want to match
by client IP. You may want to also make use of attach-cache to share a
single cache among the views in your case.
(2) Some years ago, I proposed and implemented as a branch for BIND an
RPZ extension with policy action "rpz-skipzone.", but it was not
standardized as we're still stuck with RPZ not moving in the dnsop (the
current draft limits to what has been implemented in BIND so far).
With "rpz-skipzone.", RPZ processing can be skipped to the next RPZ zone
in order for the query.
E.g., with two policy zones like this:
(i) rpz1.zone:
24.0.10.168.192.rpz-client-ip CNAME rpz-skipzone.
1.0.0.0.0.rpz-client-ip CNAME rpz-passthru.
1.0.0.0.128.rpz-client-ip CNAME rpz-passthru.
(ii) rpz2.zone:
www.abc.com IN CNAME discard.websites.com.
RPZ matches the longest prefix trigger's rule first with the client IP,
so clients in 192.168.10.0/24 will move to processing rules in rpz2
whereas the rest of the clients don't have RPZ applied at all due to
rpz-passthru.
Maybe "rpz-skipzone." will get picked up later after the current
situation with the RPZ draft progresses somehow. You may be able to
request and receive a patch for "rpz-skipzone." from ISC, but note that
it is non-standard and you won't be able to share your policy zones with
other implementations. (1) is your best bet.
Mukund
