- Run following command to install BIND 9 on Ubuntu 20.04
sudo apt update
sudo apt install bind9 bind9utils bind9-dnsutils-
Configurations for recursive DNS resolver with RPZ(response policy zone)
- To enable recursion service, edit '/etc/bind/named.conf.options':
// hide version number from clients for security reasons. version "not currently available"; // optional - BIND default behavior is recursion recursion yes; // provide recursion service to trusted clients only allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; }; // disallow zone transfer allow-transfer { none; }; // enable the query log querylog yes; //enable response policy zone. response-policy { zone "blocked.local"; };- Add RPZ zone in '/etc/bind/named.conf.local':
zone "blocked.local" { type master; file "/etc/bind/db.blocked.local"; allow-query { localhost; }; allow-transfer { localhost; }; };- add following lines in '/etc/bind/named.conf' to use separate log file for RPZ(recommended):
logging { channel blockedlog { file "/var/log/named/blocked-zone.log" versions unlimited size 100m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { blockedlog; }; };If '/var/log/named/' directory doesn't exist, create it and make bind as the owner
sudo mkdir /var/log/named/ sudo chown bind:bind /var/log/named/ -R
-
Add blocked zone file with the blocked-zone.sh script.
- first, clone this repository:
git clone https://github.com/mofm/blocked-zone.git
-
If there is domain(s) you want to block, you can add it to the blacklist file.
-
execute the blocked-zone.sh script(this script downloads StevenBlack host file and then creates RPZ zone file):
sudo bash blocked-zone.sh
-
Check configurations and service:
sudo named-checkconf
sudo named-checkzone rpz /etc/bind/db.blocked.localIf no problem, restart and enable bind9 service;
sudo systemctl restart bind9
sudo systemctl enable bind9-
Test:
- You can run the dig command on the BIND server to see if RPZ is working:
dig A adskeeper.com @127.0.0.1
- You can also check '/var/log/named/blocked-zone.log' for query log:
sudo tail /var/log/named/blocked-zone.log
-
READY, you can add this BIND9 host IP address to your host(s).
- You can add cronjob for schedule update
- You can change the URL to StevenBlack GitHub Hosts in 'blocked-zone.sh'
- You can download and use auto-generated RPZ zone files from https://scripttiger.github.io/alts/
- Also you can download and use abuse.ch RPZ zone file from https://urlhaus.abuse.ch/downloads/rpz/
| Name | URL |
|---|---|
| Abuse.ch | https://threatfox.abuse.ch/ |
| Adaway | https://adaway.org/ |
| Adguard List | https://justdomains.github.io/blocklists/#the-lists |
| Blocklist.site | https://github.com/blocklistproject/Lists |
| EasyList | https://justdomains.github.io/blocklists/#the-lists |
| Easyprivacy | https://justdomains.github.io/blocklists/#the-lists |
| NoCoin List | https://justdomains.github.io/blocklists/#the-lists |
| PornTop1M List | https://github.com/chadmayfield/my-pihole-blocklists |
| Simple Ad List | https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt |
| Simple Tracker List | https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt |
| StevenBlack/hosts | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts |
| WindowsSpyBlocker | https://github.com/crazy-max/WindowsSpyBlocker |
| YoYo List | https://pgl.yoyo.org/adservers/ |