Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison

Published byGerhard Beckenbauer Modified over 6 years ago

Similar presentations

Presentation on theme: "RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison"— Presentation transcript:

1 RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison

2 RPZ Configuration Objectives
Triggering RPZ Functionality RPZ Zone Files RPZ Policy Triggers RPZ Policy Actions Log Streaming Practical Examples

3 Copyright Zytrax, Inc. All rights reserved.
RPZ Overview Resolver Enhancement Functionality triggered by response-policy statement in BIND configuration (named.conf). Global options or within view clause. Selective Policy Triggers and Policy Actions defined in ‘standard’ zone files RPZ zone files defined in zones clauses within BIND configuration (named.conf) Logging and response-policy as diagnostic aids Copyright Zytrax, Inc. All rights reserved.

4 Copyright Zytrax, Inc. All rights reserved.
RPZ Zone File Example $TTL 2h; $ORIGIN domain.example.com. @ SOA nsd.example.net. hostmaster.example.com ( 1 12h 15m 3w 2h) NS nsd.example.net. // out-of-zone no A/AAAA RR required ; begin RPZ RR definitions ; QNAME Policy Trigger Local-Data Policy Action ; sends to a local website ; kills whole domain example.org CNAME explanation.example.com. *.example.org CNAME explanation.example.com. ; IP Policy Trigger DROP Policy Action ; any answer containing IP range ( /24) rpz-ip CNAME rpz-drop. Copyright Zytrax, Inc. All rights reserved.

5 Copyright Zytrax, Inc. All rights reserved.
RPZ and rndc rndc is remote management tool for BIND rndc addzone zone [class [view]] config Enabled by allow-new-zones yes; statement rndc delzone [-clean] zone [class [view]] rndc modzone zone [class [view]] config rndc reconfig Reload named.conf and add new zones but not existing zones rndc reload zone [class [view]] rndc reload Reload named.conf and all zones rndc refresh zone [class[view]] DNSSEC command Copyright Zytrax, Inc. All rights reserved.

6 Copyright Zytrax, Inc. All rights reserved.
RPZ Statements response-policy statement in-view statement Copyright Zytrax, Inc. All rights reserved.

7 Copyright Zytrax, Inc. All rights reserved.
in-view Statement in-view viewname zone clause only Allows single instance of zone file to be shared by multiple views Shared zone must be defined first (backward reference only) BIND 9.11 (latest) indicates that it cannot be used as an RPZ zone Copyright Zytrax, Inc. All rights reserved.

8 RPZ response-policy Statement
Global or view based statement Triggers RPZ functionality Essentially diagnostic Copyright Zytrax, Inc. All rights reserved.

9 RPZ response-policy Statement
response-policy { zone zone-name [ policy (given|disabled|passthru|drop|nxdomain|nodata|tcp-only| cname domain-name) [ recursive-only yes_or_no ] [ max-policy-ttl number ] [log yes_or_no ] ; ... } [ max-policy-ttl seconds ] [ break-dnssec yes_or_no ] [ min-ns-dots number ] [ qname-wait-recurse yes_or_no ] [nsip-wait-recurse yes_or_no] ; # example response-policy {zone "dontlike" ; zone "likeless" policy disabled;} recursive-only yes; Copyright Zytrax, Inc. All rights reserved.

10 RPZ response-policy Statement
zone – up to 32 zones supported Some parameters may be applied to zone (within braces braces) or globally (outsize zone braces) Must be quoted string. policy Only allowed in zone definition (not global) given – (default) use policy defined in zone file disabled – disable but log (to rpz category) all policy actions passthru, nxdomain, tcp-only, drop, nodata, cname name – override all Policy Actions in zone file(s) with defined action Log yes|no Selectively tuns on RPZ logging for zone (yes is default) Copyright Zytrax, Inc. All rights reserved.

11 RPZ response-policy Statement
recursive-only yes|no Yes - apply to recursive queries (from client), no – apply to all queries (Iterative and Recursive) max-policy-ttl seconds By default RPZ responses are cached for 5 seconds Statement can be used to increase to any defined value Excessive values can slow up propagation of RPZ zone file changes break-dnssec yes|no yes – applies RPZ to dnssec (signed zones), no – (default) do not apply RPZ to signed zones Copyright Zytrax, Inc. All rights reserved.

12 RPZ response-policy Statement
min-ns-dots number Defines minimum number of dots in qname before RPZ invoked (default is 1) example.com, mail.example.com will invoke RPZ by default, but com will not (min-ns-dots 0) qname-wait-recurse yes|no Can only appear in global section (not zone specific), and only applies to Qname Policy Triggers yes – (default) wait for query response then apply Policy action no – apply changes when query received (suppresses query) Copyright Zytrax, Inc. All rights reserved.

13 RPZ response-policy Statement
nsip-wait-recurse yes|no Can only appear in global section (not zone specific) yes – (default) wait for Name Server query response then apply Policy action no – if NS details are in the cache Policy Action will be invoked. If not in cache Policy Action will be ignored but NS lookup will continue and be available for subsequent Triggers. Copyright Zytrax, Inc. All rights reserved.

14 Copyright Zytrax, Inc. All rights reserved.
RPZ Zone Files RPZ Zone Files Copyright Zytrax, Inc. All rights reserved.

15 Copyright Zytrax, Inc. All rights reserved.
RRs – Generic Format name ttl class type parameters www IN A name (owner-name) or label identifies the record externally, for instance, www ttl (Time-to-Live) defines how long, in seconds, the RR may be cached class = IN = Internet type of RR, for example, MX One or more type-specific parameters TTL and Class can be omitted name = RPZ Policy Trigger, type and parameters = Policy Action All RRs have the same generic format which we need to understand thoroughly before moving to the specific RR types. name - The left most field is the name that will be associated with this record. In DNS jargon any name that appears between dots is generically called a label. We tend to use the term owner- name to differentiate it from names which can also appear in the parameter field. As always terminology can be a source of confusion. This field may take some unique values or may be left blank and will be explored in detail in alter slide. ttl - defines the amount of time that a Resolver (of whatever type, stub or full- service) may store the RR in its cache. As our understanding of DNS grows we will see that this is a very significant field which can have all kinds of unexpected effects. class - defines the class to which this RR applies. IN (or in - it is case insensitive) indicates this RR applies to Internet RRs. There are two other classes that you are unlikely to come across since both relate to MIT specific systems. They are CH for CHAOS (an MIT LAN protocol) and HS for HESIOD (an MIT information service). type - identifies the RR type, such as MX or NS or TXT parameters - are always type-specific and vary enormously in number and size. Both, or either, the ttl or class may be omitted from any RR definition. In the case of ttl only if the zone file directive $TTL is present. In the case of class IN (or in) is assumed. Copyright Zytrax, Inc. All rights reserved.

16 Copyright Zytrax, Inc. All rights reserved.
RPZ Policy Triggers Qname (Question Name) URL of target Needs both base (example.com) and wildcard (*.example.com) to remove whole domain Client-IP Source IP that initiated the query IP IP that appears in the Query Answer/Response NSDNAME Name Server that appears in Authority section during delegation/referral NS-IP Name Server IP address that appears in Addional section during delegation/referral Copyright Zytrax, Inc. All rights reserved.

17 Copyright Zytrax, Inc. All rights reserved.
RPZ Policy Actions NXDOMAIN Name does not exist (Page cannot be displayed in browser) NODATA Name exists but no data (browser error) PASSTHRU Normal response (exception/whitelist) TCP-Only Forces use of TCP (slows up response) DROP Inhibits response (timeout 3 – 5 seconds x retries) Local-Data Any valid RR data (typically CNAME to explanation site or A/AAAA of explanation site) Copyright Zytrax, Inc. All rights reserved.

18 RPZ Policy Trigger - qname
; QNAME Trigger Local-Data Action ; sends to a local website ; kills whole domain example.org CNAME explanation.example.com. *.example.org CNAME explanation.example.com. // OR ; where is a dedicated (non shared) website example.org A *.example.org A Copyright Zytrax, Inc. All rights reserved.

19 RPZ Client-IP Policy Trigger
; CLIENT-IP Trigger Local-Data Action ; kills all DNS activity from single client rpz-client-ip CNAME explanation.example.com. ; kills all DNS activity from clients – rpz-client-ip CNAME explanation.example.com. Copyright Zytrax, Inc. All rights reserved.

20 Copyright Zytrax, Inc. All rights reserved.
RPZ IP Policy Trigger ; IP Trigger Local-Data Action ; any answer containing IP range – rpz-ip CNAME explanation.example.com. Copyright Zytrax, Inc. All rights reserved.

21 RPZ NSDNAME Policy Trigger
; NSDNAME Trigger Local-Data Action ; send to a specific website ns1.example.org.rpz-nsdname CNAME explanation.example.com. ; this will kill any name servers from example.org example.org.rpz-nsdname CNAME explanation.example.com. *.example.org.rpz-nsdname CNAME explanation.example.com. Copyright Zytrax, Inc. All rights reserved.

22 RPZ NS-IP Policy Trigger
; NS-IP Trigger Local-Data Action ; triggers if IP address appears in Additional section ; send to a specific website rpz-nsip CNAME explanation.example.com. Copyright Zytrax, Inc. All rights reserved.

23 RPZ NXDOMAIN Policy Action
; QNAME Trigger NXDOMAIN Action ; kills whole domain example.org CNAME . *.example.org CNAME . Copyright Zytrax, Inc. All rights reserved.

24 RPZ NODATA Policy Action
; QNAME Trigger NODATA Action ; kills whole domain example.org CNAME *. *.example.org CNAME *. Copyright Zytrax, Inc. All rights reserved.

25 RPZ PASSTHRU Policy Action
; QNAME Trigger PASSTHRU Action ; typically only used for bypass/whitelist of single name ; but could be used to bypass/whitelist whole domain if IP trigger used mail.example.org CNAME rpz-passthru. Copyright Zytrax, Inc. All rights reserved.

26 RPZ TCP-only Policy Action
; QNAME Trigger TCP-Only Action ; slows up whole domain example.org CNAME rpz-tcp-only. *.example.org CNAME rpz-tcp-only. Copyright Zytrax, Inc. All rights reserved.

27 Copyright Zytrax, Inc. All rights reserved.
RPZ DROP Policy Action ; QNAME Trigger DROP Action ; slows up whole domain example.org CNAME rpz-drop. *.example.org CNAME rpz-drop. Copyright Zytrax, Inc. All rights reserved.

28 RPZ Local-Data Policy Action
; QNAME Trigger Local-Data Action ; sends to a local website ; kills whole domain example.org CNAME explanation.example.com. *.example.org CNAME explanation.example.com. // OR ; where is a dedicated (non shared) website example.org A *.example.org A Copyright Zytrax, Inc. All rights reserved.

29 Copyright Zytrax, Inc. All rights reserved.
RPZ Zone File Example ; RPZ test zone $TTL 1h $ORIGIN rpz.example.com. @ SOA localhost. hostmaster 1 1h 15m 30d 2h NS localhost. ; QNAME tests ; rpz NXDOMAIN Policy Action test CNAME . ; rpz NODATA Policy Action test CNAME *. ; rpz passthru Policy Action test CNAME rpz-passthru. Copyright Zytrax, Inc. All rights reserved.

30 Copyright Zytrax, Inc. All rights reserved.
RPZ Log Example client #59607 ( rpz QNAME PASSTHRU rewrite via client #59608 ( rpz QNAME Local-Data rewrite via client #59609 ( rpz QNAME TCP-ONLY rewrite via client #53664 ( rpz QNAME DROP rewrite via client #53665 ( rpz QNAME NODATA rewrite via client #53666 ( rpz QNAME NXDOMAIN rewrite via Copyright Zytrax, Inc. All rights reserved.

31 Copyright Zytrax, Inc. All rights reserved.
DNS RPZ Intro RPZ Exercise Lecturer: Ron Aitchison Copyright Zytrax, Inc. All rights reserved.

Download ppt "RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison"

Similar presentations

Module 7 Advanced Zone Files.

Module 7 Advanced Zone Files.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
Web Server Administration

Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS server & Client Objectives Contents

DNS server & Client Objectives Contents
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.
New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.

New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Chapter 17 Domain Name System

Chapter 17 Domain Name System

Similar presentations

Ads by Google