Reponse zones in BIND (RPZ/Blocking unwanted traffic).
A while ago, my dear colleague Mattijs came with an interesting option in BIND. Response zones. One can create custom “zones” and enforce a policy on that.
I never worked with it before, so I had no clue at all what to expect from it. Mattijs told me how to configure it (see below for an example) and offered to slave his RPZ policy-domains.
All of a sudden I was no longer getting a lot of ADS/SPAM and other things. It was filtered. Wow!
His RPZ zones were custom made and based on PiHole, where PiHole adds hosts to the local “hosts” file and sends it to 127.0.0.1 (your local machine), which prevents it to reach the actual server at all, RPZ policies are much stronger and more dynamic.
RPZ policies offer the use of “redirecting” queries. What do I mean with that? well you can force a ADVERTISEMENT (AD for short) site / domain to the RPZ policy and return a NXDOMAIN. It no longer exists for the end-user. But you can also CNAME it to a domain/host you own and then add a webserver to that host and tell the user query’ing the page: “The site you are trying to reach had been pro-actively blocked by the DNS software. This is an automated action and an automated response. If you feel that this is not appropriate, please let us know on ”, or something like that.
Once I noticed that and saw the value, I immediately saw the benefit for companies and most likely schools and home people. Mattijs had a busy time at work and I was recovering from health issues, so I had “plenty” of time to investigate and read on this. The RPZ policies where not updated a lot and caused some problems for my ereaders for example (msftcncsi.com was used by them, see another post on this website for being grumpy about that). And I wanted to learn more about it. So what did I do?
Yes, I wrote my own parser. In perl. I wrote a “rpz-generator” (its actually called like that). I added the sources Mattijs used and generated my own files. They are rather huge, since I blocked ads, malware, fraud, exploits, windows stuff and various other things (gambling, fakenews, and stuff like that).
I also included some whitelists, because msfctinc was added to the lists and it made my ereaders go beserk, and we play a few games here and there which uses some advertisement sites, so we wanted to exempt them as well. It’s better to know which ones they are and selectively allow them, then having traffic to every data collector out there.
This works rather well. I do not get a lot of complaints that things are not working. I do see a lot of queries going to “banned” sites everyday. So it is doing something .The most obvious one is that search results on google, not always are clickable. The ones that have those [ADV] sites, are blocked because they are advertising google sponsored sites, and they are on the list.. and google-analytics etc. It doesn’t cause much harm to our internet surfing or use experience, with the exception of the ADV sites I just mentioned. My wife sometimes wants to click on those because she searches for something that happends to be on that list, but apart from that we are doing just fine.
One thing though, I wrote my setup and this article with my setup using “NXDOMAIN” which just gives back “site does not exist” messages. I want to make my script more smart by making it a selectable, so that some categories are CNAMED to a filtering domain and webpage, and some are NXDOMAIN’ed. If someone has experience with that, please show me some idea’s and how that looks like and whether your end-users can do something with it or not. I think schools will be happy to present a block-page instead of NXdomain’ing some sites 🙂
Acknowledgements: Mattijs for teaching and showing me RPZ, ISC for placing RPZ in NAMED, and zytrax.com for having such excellent documentation to RPZ. The perl developers for having such a great tool around, and the various sites I use to get the blocklists from. Thank you all!
If you want to know more about the tool, please contact me and we can share whatever information is available 🙂