Falsifying DNS resolutions can be useful, for example to filter traffic on the network, partially publish a zone on the Internet with the entries of public services and the rest of private entries in our internal DNS.
We compile Bind:
emerge -av net-dns/bind
We add an RPZ zone:
vi /etc/bind/named.conf
zone "srpz.zone" {
type master;
file "/etc/bind/db.srpz.local";
allow-query { any; };
allow-update { none; };
};
We add entries to the RPZ zone:
vi /etc/bind/db.srpz.local
$TTL 604800
@ IN SOA localhost.local. hostmaster.local. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS localhost.local.
yahoo.com IN A 1.1.1.1
In the options section, we add the response-policy option, the service binding, the query filtering, and the Google forwarders:
vi /etc/bind/named.conf
options {
response-policy { zone "srpz.zone"; };
allow-query {
any;
};
allow-query-cache {
any;
};
allow-recursion {
any;
};
listen-on { any; };
forwarders {
8.8.8.8;
8.8.4.4;
};
Reiniciamos el servicio:
/etc/init.d/named restart
Compronbamos que funciona correctamente:
dig @SERVER_IP +short google.es
172.217.19.227
dig @SERVER_IP +short yahoo.com
1.1.1.1
As we can see, both the forward and the RPZ zone work.