-
Notifications
You must be signed in to change notification settings - Fork 8
Fitting Environment
ngadmini edited this page Jan 7, 2024
·
134 revisions
#package required
~$ sudo apt policy curl dos2unix faketime idn rsync libnet-netmask-perl
#IF not, install with
~$ sudo apt install -y curl dos2unix faketime idn rsync libnet-netmask-perlbelow, some variables in file grab_config you can change and do not leave one of the following variables undefined.
HOST=rpz.warnet-ersa.net
REGEX=4
RNDC_RELOAD=yes
RPZ_DOM=CNAME .
RPZ_IP4=rpz-ip CNAME .
URLS=19
ZONE_DIR=/etc/bind/zones-rpzthen make them as default values at file grab_library
~$ nano +$(grep -n 'f_dft()' grab_library | cut -d: -f1) grab_library
f_dft() { # fallback to these default values if grab_config missing or missconfigured
printf "\n${_wn0} ${_CYN} continued with default configurations\n" "${_foo}"
: "${HOST:=rpz.warnet-ersa.net}" # OR ip-address
: "${REGEX:=2}" # fix number of lines grab_regex
: "${RNDC_RELOAD:=no}" # yes OR no
: "${RPZ_DOM:=CNAME .}" # rpz policy
: "${RPZ_IP4:=rpz-ip CNAME .}" #+
: "${URLS:=19}" # fix number of lines grab_urls
: "${ZONE_DIR:=/etc/bind/zones-rpz}" # target dir for rsync
} #package required
~$ apt policy rsync
#IF not, install with
~$ apt install -y rsyncCustome bind9 PATHS
dir: /etc/bind
│ ├── named.conf and named.conf.{default-zones, local, logs, options, trusted-zones}
│ ├── {bind, rndc}.keys
│ ├── zones.rfc1918
│ ├── db.{0, 127, 255, empty, local}
│ ├── symlink to /etc/bind/zones-rpz/rpz.*
│ └── symlink to /etc/bind/zones-cnf/rpz.*
│
├── /etc/bind/zones-rpz
│ ├── rpz.{adulta{a, b, c, d, e, f, g}, ipv4, malware, publicite, redirector, trust+aa, trust+ab, trust+ac}
│ └── db.{adulta{a, b, c, d, e, f, g}, ipv4, malware, publicite, redirector, trust+aa, trust+ab, trust+ac}
│
└── /etc/bind/zones-cnf
├── rpz.safe and rpz.warsa
└── db.safeFor initial set-up, make a copy db.* and rpz.* from extracted tar-ball file (gb4rpz-v10.4.tar.gz) to BIND9-server.
# on your linux desktop
~$ grep -n "INCLUDE" v10.4/rpz.*
v10.4/rpz.adultaa:25:$INCLUDE "/etc/bind/zones-rpz/db.adultaa"
... sliced ...
~$ ssh [email protected] "mkdir /etc/bind/zones-rpz"
~$ scp v10.4/{db,rpz}.* [email protected]:/etc/bind/zones-rpz
~$ ssh [email protected] "ln -s /etc/bind/zones-rpz/rpz.* /etc/bind/"Depending on your preference, usually adjustments are made to the named.conf and named.conf.local associated with Response Policy Zone. Below is mine :
# This is the primary configuration file for the BIND DNS server named.
#
# Please read /usr/share/doc/bind9/README.Debian.gz for information on the
# structure of BIND configuration files in Debian, *BEFORE* you customize
# this configuration file.
# If you are just adding zones, please do that in /etc/bind/named.conf.local
# https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
acl "bogon" { 0/8; 100.64/10; 169.254/16; 192/24; 192.0.2/24; 198.18/15; 198.51.100/24; 203.0.113/24; 224/3; 240/4;};
acl "inter" { localhost; 192.168/16; 172.16/12; 10/8; };
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.logs";
include "/etc/bind/rndc.key";
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; };
server ::/0 { bogus yes; };# Do any local configuration here
# Consider adding the 1918 zones here, if they are not used in your organization
view "trusted" {
match-clients {inter;};
recursion yes;
allow-query {inter;};
allow-query-cache {inter;};
allow-recursion {inter;};
allow-transfer {none;};
response-policy { # split in separated zone files
zone "adultaa.domain";
zone "adultab.domain";
zone "adultac.domain";
zone "adultad.domain";
zone "adultae.domain";
zone "adultaf.domain";
zone "adultag.domain";
zone "ipv4.domain";
zone "malware.domain";
zone "publicite.domain";
zone "redirector.domain";
zone "safe.domain";
zone "trust+aa.domain";
zone "trust+ab.domain";
zone "trust+ac.domain";
} break-dnssec yes qname-wait-recurse no nsip-wait-recurse no max-policy-ttl 604800;
include "/etc/bind/zones.rfc1918"; # we don't use reverse-zone
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.trusted-zones";
};
view "untrusted" chaos {
match-clients {any;};
recursion no;
zone "." {type hint;file "/dev/null";};
zone "bind" {type master;file "/etc/bind/rpz.chaos";allow-query {inter;};allow-transfer {none;};};
};# file name = named.conf.trusted-zones
# pay attention to path of rpz.* files. it's a sym-link reffer to /etc/bind9/zones-{rpz,conf}/rpz.*
# create sym-link first and check it's with 'ls -lah | grep rpz'
#
zone "adultaa.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultaa";};
zone "adultab.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultab";};
zone "adultac.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultac";};
zone "adultad.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultad";};
zone "adultae.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultae";};
zone "adultaf.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultaf";};
zone "adultag.domain" {type master;check-names ignore;file "/etc/bind/rpz.adultag";};
zone "ipv4.domain" {type master;check-names ignore;file "/etc/bind/rpz.ipv4";};
zone "malware.domain" {type master;check-names ignore;file "/etc/bind/rpz.malware";};
zone "publicite.domain" {type master;check-names ignore;file "/etc/bind/rpz.publicite";};
zone "redirector.domain" {type master;check-names ignore;file "/etc/bind/rpz.redirector";};
zone "safe.domain" {type master;check-names ignore;file "/etc/bind/rpz.safe";};
zone "trust+aa.domain" {type master;check-names ignore;file "/etc/bind/rpz.trust+aa";};
zone "trust+ab.domain" {type master;check-names ignore;file "/etc/bind/rpz.trust+ab";};
zone "trust+ac.domain" {type master;check-names ignore;file "/etc/bind/rpz.trust+ac";};
zone "warnet-ersa.net" {type master;file "/etc/bind/rpz.warsa";};