Reply

How-To Guide for RPZ / DNS Firewall.

AFrodsham
Techie
Posts: 4
6113     0

Hi,

Just wondering if there is a how-to guide for RPZ / DNS Firewall when implemented on Trinzic boxes?

I am trying to get this working in my environment and I can't seem to trigger the rules....

(Running 60 day trial to see if it suits our needs and I can't get it going!)

About my setup   Running Two Trinzic boxes in GRID, one Pri, One Sec.  Split brain/horizon setup.
Recursion enabled on the Internal view. 

No matter what rules I apply in the RPZ I can't get it to fire... I've checked the Syslog and RPZ logs are empty.

Any guidance would be really appreciated.

Regards,

AF.

Re: How-To Guide for RPZ /

AFrodsham
Techie
Posts: 4
6114     0

Never mind.  Actually identified this as a bug which has been logged with Product support.

 

A full restart of DNS services is needed to bring the RPZ rules into play.  

Not good on a 330,000 user production system.

 

 

Re: How-To Guide for RPZ /

Adviser
Posts: 213
6114     0

This is how BIND works in terms of having to reload the named.conf file on configuration changes.  Once the zones are configured, further changes to add/remove specific entries are handled without needing to reload the configuration so they are live immediately.

 

Re: How-To Guide for RPZ /

AFrodsham
Techie
Posts: 4
6114     0

Hi dsmtih,

Unfortunately my testing has revealed this to not be the case.

I created an RPZ and added a Google rule to it, this worked after a full restart.

 

However adding more rules to the same RPZ were ignored until another full restart was performed.

 

 

Re: How-To Guide for RPZ /

Authority
Posts: 27
6114     0

Hello Andrew, 

to clarify you mean that you have a local feed configured and when you add entries to this feed, there are not taken into account unless you restart the service.

Could you clarify the NIOS version you run and also the exact rule you tried for Google?

 

Re: How-To Guide for RPZ /

AFrodsham
Techie
Posts: 4
6114     0

Hi sbenfredj,

 

Yes, you are correct.  

It's a local feed and changes / additions do not come into affect until a full restart.

It's actually not a big issue at the moment.  We are running a Grid so the boxes restart their services in a staggered manner so we are covered.

 

The Google RPZ rule simply diverts SSL search requests to the standard HTTP VIP (nosslserach.google.com) to stop kids doing SSL searches and circumventing our Cloud security solution.

encrypted.google.com goes to the same HTTP VIP.

I've actually just purchased the DNS Firewall license after succesful trials.

Showing results for 
Search instead for 
Do you mean 

Recommended for You