Introduction
This procedure is concerned with configuring BIND to lie to clients about the IP addresses of externally-managed names.
There are several scenarios where this might be useful:
- block local users from accessing certain websites
- allow local users to access a local service that is offered to the internet using the same name that external users use
That last one is particularly useful when accessing web services with SSL certificates.
Procedure
- If you have not already done so, then complete configuring DNS services (revision 4.1).
- Edit /etc/bind/named.conf.options and set:
options { ... response-policy { zone "rpz-local"; zone "rpz-remote"; } qname-wait-recurse no; };(Without
qname-wait-recurse no, RPZ will not work if the internet connection goes down. See here for more details. - Run dns-edit-zones to populate the rpz-local, with something like:
; redirect externally-valid names to internal IPs www.pasta.freemyip.com IN CNAME www.pasta.net. jira.pasta.freemyip.com IN CNAME www.pasta.net. svn.pasta.freemyip.com IN CNAME www.pasta.net. repo.pasta.freemyip.com IN CNAME www.pasta.net. ...
and to populate rpz-remote, with something like:
; blacklist google-analytics.com IN CNAME . *.google-analytics.com IN CNAME . rdata.io IN CNAME . *.rdata.io IN CNAME . udp.dog IN CNAME . *.udp.dog IN CNAME . ...
- You might want to set up a cronjob to update the second file using a DNS blacklist such as this one.
- Test by running:
host <some-nasty-host> localhost host <some-public-name-for-a-local-host> localhost
- Also test without an internet connection (or by removing the default route).