[RPZ] Which 'options' section does the RPZ config go in?
Paul Vixie
paul at redbarn.org
Fri Mar 29 20:13:47 UTC 2013
ixloran at sent.at wrote:
> Hi,
>
> I'm getting started working on RPZ with BIND9.
good luck and please tell us all how it works out once you've made it
operational and seen some results.
> I got the server patched & built ok.
>
> And I got my config worked out to be
>
> response-policy {
> zone "rpz.whitelist.local" policy PASSTHRU;
> zone "rpz.local";
> zone "rpz.spamhaus.org";
> zone "drop.rpz.spamhaus.org";
> };
> zone "rpz.whitelist.local" IN {
> type master; file
> "/dns/master/rpz.whitelist.local.zone";
> };
> zone "rpz.local" IN {
> type master; file "/dns/master/rpz.local.zone";
> allow-transfer { none; };
> };
> zone "rpz.spamhaus.org" IN {
> type slave; file "/dns/slave/rpz.spamhaus.org.zone";
> masters { spamhaus; }; allow-transfer { spamhaus; };
> request-ixfr yes; ixfr-from-differences yes;
> notify no;
> };
> zone "drop.rpz.spamhaus.org" IN {
> type slave; file
> "/dns/slave/drop.rpz.spamhaus.org.zone";
> masters { spamhaus; }; allow-transfer { spamhaus; };
> request-ixfr yes; ixfr-from-differences yes;
> notify no;
> };
note that ixfr-from-differences and allow-transfer pertain to your
treatment of requestors who IXFR the zone from you, and will have no
effect on how you transfer the zone from others.
> I run bind in split-view. Recursion is OFF by default, and for
> 'external' view. It's ON for 'internal' view.
>
> I've read what I can find about RPZ but havent wrapped my head around
> what's exactly happening completely yet, and I'm confused WHERE exactly
> that ^^^ config goes: in GLOBAL options? in BOTH views' options? or
> just one or the other?
>
> Where does that config go?
as cricket said, the rpz configuration elements belong in your recursive
view.
paul
More information about the DNSfirewalls
mailing list