[DNSfirewalls] help

Fred Morris m3047 at m3047.net
Tue Sep 10 17:40:22 UTC 2013


Hi I find your question ambiguous.

On Tue, 10 Sep 2013, Khadijeh Shahsavand wrote:
> Hi I want to block a url with rpz of bind so that we type dig @127.0.0.1
> my url 

Just to be clear here, RPZs will block a hostname or wildcarded domain, so
that's all URLs on a host:

  http://blocked.example.com/foo.html
  http://blocked.example.com/bad-guys.cgi?login=yes

etc.

> in terminal of linux no answer!!!

This has a variety of meanings:

** YOU WANT THE RESPONSE TO BE NXDOMAIN **

Create a resource record:

  blocked.example.com. IN CNAME .

This will generate a response with status NXDOMAIN.

** YOU WANT THE RESPONSE TO BE NO ANSWER **

Assuming, that in most cases the request will be for an A record, create a
resource record:

  blocked.example.com. IN TXT "No A record available."

This will generate a response with NOERROR/ANSWER:0 for A record queries.

** YOU ARE NOT GETTING A RESPONSE WHEN YOU DIG @127.0.0.1
BLOCKED.EXAMPLE.COM **

Getting *no* response packet (timeout) is not correct behavior when an RPZ
is configured.

Make sure your RPZ is correctly configured. Check the BIND logs.

Make sure BIND is running on the local host.

Make sure BIND is listening on the loopback interface on the local host.

Make sure that BIND is configured to allow queries from localhost.

Make sure that any local firewall isn't blocking traffic to/from port 53
on localhost.

Launch named with -d2 and check the logs again. ;-)

--

Fred Morris


More information about the DNSfirewalls mailing list