Hi everyone, I hope you all are fine. I am new in the mailing list and looking for an advise. If this mailing-list is not suitable for my below query then please pardon me.
I am stuck in a situation and looking for a solution. My scenario is like below.
I want to block some websites for my all users.
For example:
www.abc.com
www.xyz.com
etc
I did it using Response Policy Zone (RPZ) in BIND.
response-policy {zone "rpz";};
rrset-order { order cyclic; };
zone "rpz" {
type master;
allow-query { any; };
file "/etc/bind/rpz.db";
};
In my RPZ zone file I created CNAME entries for above mentioned FQDNs which have been pointed to discard.websites.com
www.abc.com IN CNAME discard.websites.com.;
www.xyz.com IN CNAME discard.websites.com.;
And later on, in websites.com zone file (which is another fake zone) I created an A record for discard.websites.com which has been pointed to 192.168.127.127 (a fake IP).
discard IN A 192.168.127.127;
In this way all the dns requests from my all users for above mentioned sites are resolved to 192.168.127.127 and the real websites are unreachable.
(N.B. I am not worry about the situation when users change their DNS IP to any open resolver and can access the websites.)
Everything was going fine. By this time another requirement came into the picture. Now I need to block the mentioned websites for some specific users (based on source IP).
So in my RPZ configuration I specified the users source IP block like below.
zone "rpz" {
type master;
allow-query { 192.168.10.0/24; };
file "/etc/bind/rpz.db";
};
At this point the dns queries from the specified block 192.168.10.0/24 are resolved to my fake ip and all other requests from rest of IP blocks are dropped (as expected as per configuration).
But I want to do like this, the dns queries from 192.168.10.0/24 blocks will be matched with RPZ zone and other requests from rest of IPs will bypass the RPZ configuration and will match my general "allow-query {any;}" statement mentioned in named.conf file.
Will the logic work as I stated above?? Any comments from the experts will be great for me.
(N.B. I came to know that, resolving different IP based on different source can be possible in KNOT DNS, but I would be happy to do it in BIND (if possible).