Score:-2

Block IP in DNS Zone File (Instead of Domain)

mh flag

I'm using bind9 DNS server. I used to block websites using their domain name in RPZ zone file such as:

malicious.example CNAME .

But, I need to block IP rather than domain such as: 192.0.2.4 CNAME .

How can I do this? Or, is the above example (192.0.2.4 CNAME .) correct?

Score:2
ar flag

You can't.

IP addresses are used directly in packets. They are not translated into anything. To block IP's you have to use a firewall.

In case you want to block results containing a set of IP's, Patrick's answer covers that.

Patrick Mevzek avatar
cn flag
What does "packages" mean in that sentence? What packages? You mean network packets?
Patrick Mevzek avatar
cn flag
Also, you are wrong, bind documentation clearly state it is possible (to filter by IP address)
Patrick Mevzek avatar
cn flag
"To block IP's you have to use a firewall." When you use a "DNS firewall" which is what the RPZ feature is, the goal is not to block network traffic at the IP level but to change how resolution happens, to change results in some way to implement local policies.
vidarlo avatar
ar flag
He asks how to block IP's. IP's are never queried to the nameserver. They're used in the packet header.
Patrick Mevzek avatar
cn flag
I don't think you understand what bind RPZ feature is nor how it works. If you say, per my answer, that you want to "block" a given IP it means the resolver will never give back that IP address to client, and as such the client can not connect to it, because it won't know about it in the first place.
vidarlo avatar
ar flag
I understand that part. I just don't believe that's what OP is asking ;)
Score:1
cn flag

See https://www.isc.org/docs/BIND_RPZ.pdf, page 11:

Creating a trigger rule for an IP or Subnet (v4)

Let’s say we want to rewrite any DNS queries for any hosts that resolve in the 172.16.3.0/24 subnet.

24.0.3.16.172.ns-ip IN CNAME .

As you can see, the octets in the subnet need to be reversed (similar to the way rbl in-addr.arpa works). The first number represents the subnet mask. If we only wanted to block a single ip, the first number would be 32, which represents a /32, i.e.: 32.1.3.16.172.ns-ip IN CNAME

See also https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3 which shows a use of rpz-ip instead of ns-ip (RPZ feature was first invented by/in bind, and there are attempts to make it a full standard)

Hence, it will also depend on which bind version you are using, which you don't disclose. Look at its included documentation, and the level of RPZ support it has.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.