09-25-2013 08:39 PM
Just wondering if there is a how-to guide for RPZ / DNS Firewall when implemented on Trinzic boxes?
I am trying to get this working in my environment and I can't seem to trigger the rules....
(Running 60 day trial to see if it suits our needs and I can't get it going!)
About my setup Running Two Trinzic boxes in GRID, one Pri, One Sec. Split brain/horizon setup.
Recursion enabled on the Internal view.
No matter what rules I apply in the RPZ I can't get it to fire... I've checked the Syslog and RPZ logs are empty.
Any guidance would be really appreciated.
09-26-2013 04:31 PM
Never mind. Actually identified this as a bug which has been logged with Product support.
A full restart of DNS services is needed to bring the RPZ rules into play.
Not good on a 330,000 user production system.
09-29-2013 06:59 AM
This is how BIND works in terms of having to reload the named.conf file on configuration changes. Once the zones are configured, further changes to add/remove specific entries are handled without needing to reload the configuration so they are live immediately.
09-29-2013 03:57 PM
Unfortunately my testing has revealed this to not be the case.
I created an RPZ and added a Google rule to it, this worked after a full restart.
However adding more rules to the same RPZ were ignored until another full restart was performed.
10-08-2013 07:10 AM
to clarify you mean that you have a local feed configured and when you add entries to this feed, there are not taken into account unless you restart the service.
Could you clarify the NIOS version you run and also the exact rule you tried for Google?
10-08-2013 03:30 PM
Yes, you are correct.
It's a local feed and changes / additions do not come into affect until a full restart.
It's actually not a big issue at the moment. We are running a Grid so the boxes restart their services in a staggered manner so we are covered.
The Google RPZ rule simply diverts SSL search requests to the standard HTTP VIP (nosslserach.google.com) to stop kids doing SSL searches and circumventing our Cloud security solution.
encrypted.google.com goes to the same HTTP VIP.
I've actually just purchased the DNS Firewall license after succesful trials.