Block ads and malware via BIND9 RPZ

Installation on Ubuntu 20.04 LTS

• Run following command to install BIND 9 on Ubuntu 20.04

$ sudo apt update
$ sudo apt install bind9 bind9utils bind9-dnsutils

Configurations for recursive DNS resolver with RPZ(response policy zone)

• To enable recursion service, edit /etc/bind/named.conf.options :

    // hide version number from clients for security reasons.
    version "not currently available";

    // optional - BIND default behavior is recursion
    recursion yes;

    // provide recursion service to trusted clients only
    allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; };

    // disallow zone transfer
    allow-transfer { none; };

    // enable the query log
    querylog yes;

    //enable response policy zone.
    response-policy {
        zone "blocked.local";
    };

• Add RPZ zone in /etc/bind/named.conf.local :

    zone "blocked.local" {
        type master;
        file "/etc/bind/db.blocked.local";
        allow-query { localhost; };
        allow-transfer { localhost; };
    };

• add following lines in /etc/bind/named.conf to use separate log file for RPZ(recommended):

    logging {
        channel blockedlog {
            file "/var/log/named/blocked-zone.log" versions unlimited size 100m;
            print-time yes;
            print-category yes;
            print-severity yes;
            severity info;
        };
        category rpz { blockedlog; };
    };

• If /var/log/named/ directory doesn't exist, create it and make bind as the owner:

$ sudo mkdir /var/log/named/
$ sudo chown bind:bind /var/log/named/ -R

Creating Zone File

• first, clone this repository:

$ git clone https://github.com/mofm/blocked-zone.git

• If there is domain(s) you want to block, you can add it to the blacklist file.

• execute the blocked-zone.sh script(this script downloads StevenBlack host file and then creates RPZ zone file):

$ sudo bash blocked-zone.sh

Check configurations and service:

$ sudo named-checkconf
$ sudo named-checkzone rpz /etc/bind/db.blocked.local

If no problem, restart and enable bind9 service;

$ sudo systemctl restart bind9
$ sudo systemctl enable bind9

Test:

• You can run the dig command on the BIND server to see if RPZ is working:

$ dig A adskeeper.com @127.0.0.1

• You can also check '/var/log/named/blocked-zone.log' for query log:

$ sudo tail /var/log/named/blocked-zone.log

• READY, you can add this BIND9 host IP address to your host(s).

Optional

• You can add cronjob for schedule update
• You can change the URL to StevenBlack GitHub Hosts in blocked-zone.sh
• You can download and use auto-generated RPZ zone files from https://scripttiger.github.io/alts/
• Also you can download and use abuse.ch RPZ zone file from https://urlhaus.abuse.ch/downloads/rpz/