One of the more controversial additions to the BIND name server in version 9.8.0 was a feature called Response Policy Zone Rewriting which allows operators of recursive DNS servers (e.g. servers running at your ISP or in your corporate environment) to rewrite answers returned by authoritative DNS servers. (Paul Vixie had spoken about RPZ in Taking Back the DNS mid last year.) This is basically what Unbound can implement on a per-installation basis with its local-zone and local-data directives, with the twist that BIND servers can replicate RPZ zones (from master to slaves) thereby offering their content to a larger population of name servers. There are two steps required for setting up and enabling RPZ:

  • Create an RPZ zone
  • Enable RPZ in BIND

An RPZ zone is a zone master file, which clients do not have to query directly – the zone file is used by named.

    $TTL 60
    @            IN    SOA  localhost. root.localhost.  (
                          2   ; serial 
                          3H  ; refresh 
                          1H  ; retry 
                          1W  ; expiry 
                          1H) ; minimum 
                  IN    NS    localhost.       CNAME    .   CNAME    *.    CNAME        A

Note the values of rdata differ; this is what instructs BIND how to answer a query for a particular name. (RPZ is documented in the BV9ARM.) We configure the zone in named.conf allowing our other BIND servers to transfer the zone. (Note that the zone does not need to be delegated, so you can use any convenient name.)

    zone "rpz" {
      type master;
      file "rpz.db";
      allow-query { none; };
      allow-transfer { ... ; };

And finally, we enable our caching BIND servers to use the Response Policy Zone:

response-policy { zone "rpz"; };

Let me show you some of the replies I get from querying a BIND server for some of the names we’ve added to our RPZ zone. We start off by querying for the address of the server returns an NXDOMAIN code indicating the domain does not exist, and the AUTHORITY section of the answer gives us an indication where the answer originated from.

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN
rpz. 60 IN SOA localhost. root.localhost. 2 ...

When we query our server for the response is slightly different: we just get no data returned.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR
rpz. 60 IN SOA localhost. root.localhost. 2 ...

When we query for, the client gets data from the Google name servers:

;; ANSWER SECTION: 60 IN CNAME 604134 IN CNAME 222 IN A ....

And when we query for the response contains our configured address:

$ dig
rpz. 60 IN NS localhost.

BIND applies the Response Policy when a server is queried recursively only. SURBL is, to my knowledge, one of the first to provide data via an RPZ zone. (Overview.) If you want some more examples, check the BIND Administrator Reference Manual (Bv9ARM) for version 9.8.0. You may also want to read RPZ, un moyen simple de configurer un résolveur DNS BIND pour qu’il mente (in French) by Stéphane Bortzmeyer, from whom I got the inspiration for this posting’s title.


DNS, BIND, and RPZ :: 26 Apr 2011 :: e-mail