Install Bind9 Server Recursion & RPZ Ubuntu 20.04
Install BIND9
The first thing you need to do is to update the package list and to install BIND9.
sudo apt update
sudo apt install bind9
BIND9 configuration
cd /etc/bind/
The main configuration file is named.conf.options
sudo nano named.conf.options
acl LAN {
192.168.1.0/24;
};
options {
dnssec-validation auto;
listen-on-v6 { any; };
directory "/var/cache/bind"; // default directory
max-cache-size 10m;
allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255
forwarders {
1.1.1.1;
1.0.0.1;
}; // use CloudFlare 1.1.1.1 DNS as a forwarder
recursion yes; // allow recursive queries
auth-nxdomain no; # conform to RFC1035
allow-recursion {
LAN;
};
};
Create RPZ (Response Policy Zones)
create rpz database.
cp db.local db.blocked
sudo nano db.blocked
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA blocked.local. root.blocked.local. (
2309111627 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS blocked.local.
@ IN A 192.168.1.222
xxx.xxx IN CNAME @ # blocked domain
register database to zone
sudo nano named.conf.local
zone "blocked" {
type master;
file "/etc/bind/db.blocked";
allow-query {any;};
allow-update {none;};
};
; === https://github.com/andrizan/partial-output ===
zone "trust-aa" {
type master;
file "/etc/bind/db.trust-aa";
allow-query {any;};
allow-update {none;};
};
zone "trust-ab" {
type master;
file "/etc/bind/db.trust-ab";
allow-query {any;};
allow-update {none;};
};
zone "adultaa" {
type master;
file "/etc/bind/db.adultaa";
allow-query {any;};
allow-update {none;};
};
zone "adultab" {
type master;
file "/etc/bind/db.adultab";
allow-query {any;};
allow-update {none;};
};
zone "adultac" {
type master;
file "/etc/bind/db.adultac";
allow-query {any;};
allow-update {none;};
};
zone "adultad" {
type master;
file "/etc/bind/db.adultad";
allow-query {any;};
allow-update {none;};
};
zone "adultae" {
type master;
file "/etc/bind/db.adultae";
allow-query {any;};
allow-update {none;};
};
zone "adultaf" {
type master;
file "/etc/bind/db.adultaf";
allow-query {any;};
allow-update {none;};
};
zone "adultag" {
type master;
file "/etc/bind/db.adultag";
allow-query {any;};
allow-update {none;};
};
zone "malware" {
type master;
file "/etc/bind/db.malware";
allow-query {any;};
allow-update {none;};
};
Register the zone to the response policy.
sudo nano named.conf.options
acl LAN {
192.168.1.0/24;
};
# accept all connection
# acl all {
# 0.0.0.0/0;
# };
options {
dnssec-validation auto;
listen-on-v6 { any; };
directory "/var/cache/bind"; // default directory
max-cache-size 10m;
cleaning-interval 480; // clean cache every 8 hours
allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255
response-policy {
zone "blocked";
zone "trust-aa";
zone "trust-ab";
zone "adultaa";
zone "adultab";
zone "adultac";
zone "adultad";
zone "adultae";
zone "adultaf";
zone "adultag";
# zone "malware";
} recursive-only no max-policy-ttl 60 break-dnssec no qname-wait-recurse no;
# disable 'check-names'
#check-names master ignore;
#check-names slave ignore;
#check-names response ignore;
forwarders {
1.1.1.1;
1.0.0.1;
}; // use CloudFlare 1.1.1.1 DNS as a forwarder
recursion yes; // allow recursive queries
auth-nxdomain no; # conform to RFC1035
allow-recursion {
LAN;
};
};
Docker
https://www.youtube.com/watch?v=syzwLwE3Xq4