How to configure RPZ - DNS Firewall on BIND 9

BIND is the world's most used DNS server and can be configured as a DNS Firewall using RPZ zone files. Response Policy Zone (RPZ) enables DNS administrators to selectively block name resolution of Internet resources known to be used by cyber criminals.

Malware Patrol provides three zone files compatible with BIND 9 RPZ to its SMB customers. They contain domains used to host C&Cs (command and control servers), domain names generated via DGAs (domain generation algorithms) used by malware and ransomware and domains hosting malware binaries. Its usage as a DNS Firewall denies access to resources involved in malware and ransomware activities. DNS queries for these domains return a special address that advises users on why the access was blocked and prevents malware and ransomware infections, communications with C&Cs and drop zones commonly used to exfiltrate information. You can implement any or all zone files at your discretion. Follow these simple steps to configure your BIND 9 instance and protect the internal network, computers and users.

Please be advised that the usage of the "malware binaries" RPZ zone may result in blocking large well known websites that are actively hosting malware and ransomware samples. The use of the "DGAs" and "C&Cs" zone files is less likely to deny access to renowned websites.

It is also worth noticing that at this point Malware Patrol offers RPZ zone files for download, not access to our DNS servers for RPZ zone transfers.

1) Make sure your BIND 9 is installed and working properly. There are several resources on the Internet that can help you install it depending on your platform. If you are experiencing trouble, start at: https://www.isc.org/downloads/bind/. You should also be able to use distribution specific tools like apt-get and yum. For example: apt-get install bind9.


2) Determine the path to the configuration files used by BIND. This most likely will be /etc/bind or /etc/named. One way to find the path is to issue this command: find / -name named.conf

3) Notice: the path /etc/bind will be used throughout this How To, please adapt the commands shown here appropriately if your path is different.

4) Change to the directory that contains BIND configuration files, for example: cd /etc/bind

5) Set up cron jobs to regularly download the appropriate zone file(s) to the BIND configuration directory. URLs for the zone files can be found in your SMB data feeds page. The RPZ - DNS Firewall data feeds are updated every hour. You can use the MD5 hashes to validate the file's integrity.

6) Add the following lines to "named.conf.default"-zones, according to the zones you want to use:

zone "mp_rpz_c2" {
   type master;
   file "/etc/bind/mp_rpz_c2.db";
};

zone "mp_rpz_dga" {
   type master;
   file "/etc/bind/mp_rpz_dga.db";
};

zone "mp_rpz_malware" {
   type master;
   file "/etc/bind/mp_rpz_malware.db";
};


7) Add the following lines to "named.conf.options" under the "options" section, according to the zones you want to use:

response-policy {
   zone "mp_rpz_c2";    zone "mp_rpz_dga";    zone "mp_rpz_malware"; };


8) Restart BIND with the following command: service bind9 restart

To make this set up effective, you should configure your customers' DNS server(s) to point to this BIND instance. This can be easily achieved via DHCP. Still, customers may manually configure their systems to use external DNS servers, therefore bypassing this protection mechanism. To avoid that, apply firewall rules that properly deny traffic to external DNS servers.

This should be all you need to do. After that, browsers and applications that query your DNS server to resolve malicious domains will receive a safe response and won't reach bad content.

If you experience any difficulties configuring BIND 9 to use Malware Patrol, please make sure it is working properly and contact our tech support at support (@) malwarepatrol.net.

Back to top