I have set up bind 9 (BIND 9.16.23-RH) on rocky linux 9.5 as a recursive DNS server, everything is working fine, beside RPZ policy.
Here is my named.conf:
options {
listen-on port 53 { 127.0.0.1; 172.18.150.18; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-query { localhost; 192.168.242.0/24; 192.168.243.0/24; 172.18.150.0/24; 192.168.240.0/23; 172.16.11.0/24; };
forwarders {
1.1.1.1;
8.8.8.8;
};
forward only;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
response-policy { zone "rpz.zone"; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "rpz.zone" {
type master;
file "db.rpz.zone";
};
And here is my db.rpz.zone file:
$TTL 1800
@ IN SOA localhost. root.localhost. (
2025022302 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS localhost.
vpn1.example.com IN A 192.168.1.10
The expected result is when any host asks for vpn1.example.com IP Address, the server return 192.168.1.10, but instead of doing that it returns the real public ip address of vpn1.example.com.
I have read the documentation, some tutorials ans a lot of questions here in stackoverflow, as far as I can see the configuration is correct, but I may be missing something.
Am I doing something wrong?
Thanks in advance!
Answering my own question because I finally found out what my issue was, the zone file was owned by root:root and it must be root:named.
Pretty obvious but I never thought that could be the issue, because bind never complained about it. I only found it because I added another authoritative zone and it was giving me SERVFAIL result, I set correct permissions and it worked, then I did the same to the rpz zone file.
I hope that could be useful to other users.
Best regards.