Install Bind9 Server Recursion & RPZ Ubuntu 20.04

·

3 min read

Install BIND9

The first thing you need to do is to update the package list and to install BIND9.

sudo apt update 
sudo apt install bind9

BIND9 configuration

cd /etc/bind/

The main configuration file is named.conf.options

sudo nano named.conf.options
acl LAN {
        192.168.1.0/24;
};

options {
        dnssec-validation auto;

        listen-on-v6 { any; };

        directory "/var/cache/bind"; // default directory
        max-cache-size 10m;
        allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255

        forwarders {
                1.1.1.1;
                1.0.0.1;
        }; // use CloudFlare 1.1.1.1 DNS as a forwarder

        recursion yes;  // allow recursive queries
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
                LAN;
        };
};

Create RPZ (Response Policy Zones)

create rpz database.

cp db.local db.blocked
sudo nano db.blocked
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     blocked.local. root.blocked.local. (
                         2309111627     ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      blocked.local.
@       IN      A       192.168.1.222
xxx.xxx IN    CNAME     @ # blocked domain

register database to zone

sudo nano named.conf.local
zone "blocked" {
    type master;
    file "/etc/bind/db.blocked";
    allow-query {any;};
    allow-update {none;};
};

; === https://github.com/andrizan/partial-output ===
zone "trust-aa" {
    type master;
    file "/etc/bind/db.trust-aa";
    allow-query {any;};
    allow-update {none;};
};

zone "trust-ab" {
    type master;
    file "/etc/bind/db.trust-ab";
    allow-query {any;};
    allow-update {none;};
};

zone "adultaa" {
    type master;
    file "/etc/bind/db.adultaa";
    allow-query {any;};
    allow-update {none;};
};

zone "adultab" {
    type master;
    file "/etc/bind/db.adultab";
    allow-query {any;};
    allow-update {none;};
};

zone "adultac" {
    type master;
    file "/etc/bind/db.adultac";
    allow-query {any;};
    allow-update {none;};
};

zone "adultad" {
    type master;
    file "/etc/bind/db.adultad";
    allow-query {any;};
    allow-update {none;};
};

zone "adultae" {
    type master;
    file "/etc/bind/db.adultae";
    allow-query {any;};
    allow-update {none;};
};
zone "adultaf" {
    type master;
    file "/etc/bind/db.adultaf";
    allow-query {any;};
    allow-update {none;};
};

zone "adultag" {
    type master;
    file "/etc/bind/db.adultag";
    allow-query {any;};
    allow-update {none;};
};

zone "malware" {
    type master;
    file "/etc/bind/db.malware";
    allow-query {any;};
    allow-update {none;};
};

Register the zone to the response policy.

sudo nano named.conf.options
acl LAN {
        192.168.1.0/24;
};

# accept all connection
# acl all {
#        0.0.0.0/0;
# };

options {
        dnssec-validation auto;

        listen-on-v6 { any; };

        directory "/var/cache/bind"; // default directory
        max-cache-size 10m;
        cleaning-interval 480; // clean cache every 8 hours
        allow-query { localhost; LAN;}; // allow queries from localhost and 192.168.1.0-192.168.1.255
        response-policy {
                zone "blocked";
                zone "trust-aa";
                zone "trust-ab";
                zone "adultaa";
                zone "adultab";
                zone "adultac";
                zone "adultad";
                zone "adultae";
                zone "adultaf";
                zone "adultag";
#               zone "malware";
        } recursive-only no max-policy-ttl 60 break-dnssec no qname-wait-recurse no;

# disable 'check-names'
#check-names master ignore;
#check-names slave ignore;
#check-names response ignore;

        forwarders {
                1.1.1.1;
                1.0.0.1;
        }; // use CloudFlare 1.1.1.1 DNS as a forwarder

        recursion yes;  // allow recursive queries
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
                LAN;
        };
};

Docker

https://www.youtube.com/watch?v=syzwLwE3Xq4

Ref