A slick and DIY RPZ for people who want to roll their own.

This'll make the necessary config and zone file to make an rpz.blacklist Response Policy Zone configuration on modern BIND implementations.

An example configuration file is in ky-rpz.config.example. Copy this to ky-rpz.config and update the paths.

You'll need to enable the response-policy option in BIND. This requires version 9.9 and above. Add this line to /etc/bind/named.conf.options inside the existing squiggly braces: response-policy { zone "rpz.blacklist"; };

Make sure you add the blacklist zone file to your config. For example, I added include "/etc/bind/named.conf.ky-rpz"; to /etc/bind/named.conf.local on a Debian machine.

Set your configuration variables in conf/env.env (an example is in conf/env.env.example) and run build.sh.

Put an entry in conf/env.env

To spin up a new instance: docker run --name "ky-rpz" -p 53:53/udp -p 53:53 --rm yaleman/ky-rpz

To force an update of the definitions (should happen hourly in cron): docker exec -it ky-rpz /opt/ky-rpz/bin/update.sh

Below is a section of the default configuration file from Ubuntu's squid package (/etc/squid/squid.conf). We've added the kyrpz block to the top, just below the "INSERT YOUR OWN RULES" section. Do this yourself, and it'll do the needful.

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl kyrpz dstdomain "/etc/squid/ky-rpz.acl"
http_access deny kyrpz

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

• Test in production
• Support a variable for "only leave these in the output dir"
• Make the caching better

• https://dnsrpz.info/

• http://www.malwaredomains.com/
• https://pgl.yoyo.org/as/#about
• https://abuse.ch