How to override DNS for private networks with BIND RPZ

In our private network we have services that are served to the internet and should also be used by the users sitting inside the network (physically or via VPN). We have a main DNS servers in a cloud provider and it is serving pointing to our firewall internet facing address and an internal DNS server with all the same records duplicated except that is pointing to its address reachable in the private network.

This arrangement causes some maintenance trouble because every time we add a new domain to the main DNS, we need to duplicate this entry in the internal server.

Some time ago I looked up how to solve this a little more elegantly and found out about response-policy-zone feature in BIND. With this set up we can have our internal server configured to only have entries for the domains that need to have different responses in our private network without the need to duplicate all other entries.


Configure a response-policy in the options:

options {
  response-policy { zone "rpz"; };

Create the zone you referenced in the response-policy ("rpz")

zone "rpz" {
  type master;
  file "rpz.db";

Then populate the zone file referenced ("rpz.db")

$TTL 300
@    IN SOA localhost. root.localhost. (
          2023091201  ; serial
          86400       ; refresh, seconds
          7200        ; retry, seconds
          3600000     ; expire, seconds
          86400       ; minimum, seconds

@        IN NS

; you need the full domain here, without ending with a period   IN A          IN A      IN A  IN A

reload the configs and you should be good to go.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.