Filtering traffic by DNS name and IP address
Out with the Bad

Kurt describes how to keep bad guys out of your network using a targeted filtering approach.
If you're reading this article (and indeed this magazine), you're probably not a huge fan of spam/malware/crapware/spyware, and so on. However, because you're also probably running Linux, you can avoid most of that, right? Just keep the system up to date, install AdBlock, apply SpamAssassin to your email, and so on – easy peasy lemon squeezy.
But, what happens if you have a device that doesn't support AdBlock or antivirus software (e.g., some of the more locked down Android devices)? Or, if you want to block certain domains or networks completely? Firewalling based on IP addresses is great, and you can even find country lists; however, that won't help you block attackers that quickly bounce their domain around multiple providers. If only there were a way to firewall stuff easily at the DNS level.
Response Policy Zones
Back in 2011, ISC, the company that produces BIND and DHCPD, decided this was a problem they wanted to address, so they rather cleverly added RPZ (Response Policy Zone) [1] support in a way that requires no changes to existing DNS client software or to other servers making use of the RPZ server. Basically, RPZ lets you define records to which that the response policy will be applied. These records can be the domain name being queried (QNAME), the IP address being returned in response to the query (IP), the name or domain of any DNS server used to fulfill a query (NSDNAME), and the IP address of any DNS server used to fulfill a query (NSIP).
This means you can, for example, filter all requests for *.example.org, any query that would result in an answer of 10.0.0.0/8, or any query that would use the DNS server evil.example.org or a DNS server on the evil network 192.168.0.0/16. You're not just limited to blocking queries either, you also can return NXDOMAIN (no such domain) records for a query or NODATA (no records for that query). You also can reply to a query with an arbitrary response (Local Data Action), or you can choose to allow the query (PASSTHROUGH) [2]. Note that allowing a query instead of blocking it can be useful, because this lets you configure your RPZ to allow queries for good.example.org and block all other queries for *.example.org.
Forcing Use of Your RPZ Server
The first step is to force clients to use your RPZ server. This step is important because a lot of malware will hijack the DNS settings on a client to point them at an attacker-controlled server. The easiest way to do this is set up one or more DNS servers running RPZ and then firewall your network so that only they are allowed to make outgoing DNS queries (Listing 1).
Listing 1
Network Setup
In this setup, make sure you block both TCP and UDP outgoing to port 53. Please note that clients using VPN software, Tor, and the like will be able to bypass this restriction, so DNS firewalling (like any firewalling) isn't 100 percent foolproof when it comes to VPNs.
Configuring RPZ
This is the easy part: In named.conf
, in the options
section, simply put:
response-policy { zone "rpz.example.org";};
Then, define the zone file,
zone "rpz.example.org" { type master; file "/var/named/rpz.example.org.zone"; };
and configure the zone file (Listing 2). Note that there is no $ORIGIN specification.
Listing 2
Zone File Configuration
This listing specifies that any queries to evil-domain.com or records and subdomains within it will be served an NXDOMAIN response.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
2024 Open Source Professionals Job Survey Now Open
Share your expectations regarding open source jobs.
-
Arch Linux 2023.12.01 Released with a Much-Improved Installer
If you've ever wanted to install Arch Linux, now is your time. With the latest release, the archinstall script vastly simplifies the process.
-
Zorin OS 17 Beta Available for Testing
The upcoming version of Zorin OS includes plenty of improvements to take your PC to a whole new level of user-friendliness.
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.