Configuring DNS BIND RPZ

May i know what's the steps to configure Response Policy Zone in BIND 9.8.1??

There are articles on setting up RPZ's but I honestly haven't really attempted it. I read the RFC but never actually did it.

Here's an article in French but it has an example of the Options and Zone data. It looks pretty straightforward:
http://dns.blog4ever.com/blog/lire-article-491870-2332506-rpz_et_dns__exemple_de_configuration.html


Here's the RFC on it as well with some good stuff in it:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

I've tried to follow the link that you've gave me, under the configuration of db.rpz.zone. How come after the configuration, it still didn't block the IP Address?

Is named starting after the config change? Are you running BIND 9.8?

A quick update, I installed BIND 9.8 on a test machine and literally copy/pasted what was on that website in to the configuration and it worked right off. Make sure you have no typos and are running BIND 9.8.

I'm running on BIND 9.8.1..

Does named start? What exactly is happening after you make the zone and the config. You might want to check the server logs for any named entries to see if the zone isn't loading.

What do you mean by does named start? The ISC BIND has started in the services.
I've created two zones under named.config, one is the iadlp.cng.com and another one is the rpz.zone which I've followed through the website that you've gave me in the previous reply.

C:\named\bin>dig @127.0.0.1 google.com.

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 google.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39848
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 12

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 198 IN A 74.125.235.51
google.com. 198 IN A 74.125.235.52
google.com. 198 IN A 74.125.235.48
google.com. 198 IN A 74.125.235.49
google.com. 198 IN A 74.125.235.50

;; AUTHORITY SECTION:
. 13395 IN NS i.root-servers.net
. 13395 IN NS j.root-servers.net
. 13395 IN NS m.root-servers.net
. 13395 IN NS k.root-servers.net
. 13395 IN NS l.root-servers.net
. 13395 IN NS a.root-servers.net
. 13395 IN NS h.root-servers.net
. 13395 IN NS g.root-servers.net
. 13395 IN NS b.root-servers.net
. 13395 IN NS f.root-servers.net
. 13395 IN NS c.root-servers.net
. 13395 IN NS d.root-servers.net
. 13395 IN NS e.root-servers.net

;; ADDITIONAL SECTION:
a.root-servers.net. 72188 IN A 192.41.0.4
a.root-servers.net. 36064 IN A 192.228.79.201
a.root-servers.net. 71186 IN A 192.33.4.12
a.root-servers.net. 71327 IN A 128.8.10.90
a.root-servers.net. 85834 IN A 192.203.230.10
a.root-servers.net. 36096 IN A 192.5.5.241
a.root-servers.net. 68021 IN A 192.112.36.4
a.root-servers.net. 36122 IN A 128.63.2.53
a.root-servers.net. 71196 IN A 192.36.148.17
a.root-servers.net. 27161 IN A 192.58.128.30
a.root-servers.net. 72160 IN A 193.0.14.129
a.root-servers.net. 67622 IN A 199.7.83.42

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 26 15:20:57 2012
;; MSG SIZE rcvd: 511

I would suggest checking your logs. The process for BIND is called "named". You will want to check the logs for anything logged by named for errors. If you have restarted the named process after the config change and it still queries the internet, that means named is running but it seems like the rpz zone didn't load. The logs will usually tell you why.

I'm sorry to ask, but may i know how am I suppose to check for my logs?

If it's a nix system, you want to check /var/log/messages or /var/log/syslog. Use grep and search "named" in whichever log your system is logging info to and it should have some information in it.

I'm running on Windows 7. So i can use grep as well?

No, if it's windows you should probably check out the Event Viewer in admin tools in the control panel. I'm guessing it would probably under the applications section.

Checked the Event Viewer and saw some of the errors which consist of:

• zone rpz.zone/IN: loading from master file db.rpz.zone failed: file not found

• zone rpz.zone/IN: not loaded due to errors.

• zone iadlp.cng.com/IN: not loaded due to errors.

• unable to convert errno to isc_result: 1450: Insufficient system resources exist to complete the requested service.

Have any ideas what does all these means?

I'm not too familiar with running BIND on windows since I only use it on linux/unix systems, so I'm not sure if there is a default directory you should look in or if it's something you specified. But you have to have the db.rpz.zone in the correct directory (the one mentioned in your named.conf file. It looks like from the log, the specified zone file isn't there so it's not being loaded (and problems with another zone you have). If the local files are not found or formatted incorrectly, named will still start up but the bad zones will not be loaded. So named cannot answer from those local files (like it would in the case of an rpz).