Univention Bugzilla – Bug 48996
Support Response Policy Zone (RPZ)
Last modified: 2024-01-26 18:31:04 CET
We would like to use RPZ at school server level to intercept certain DNS queries and to replace with our configured entriese. For example, Google recommends that you use DNS queries to all Google domains (google.com, google.de, etc.) with a CNAME to forcesafesearch.google.com to make sure the "Safe Search" function in Google is used. (There is currently an acute need for this in a primary school). The additional configuration required on a UCS school slave for this could be nearly completely via /etc/bind/local.conf.samba4, with the exception of the additionally necessary "response-policy" option in the "options {...}" block of the named.conf.samba4. Hence the question: Would it be conceivable to use a UCR variable in the future to Define a response policy zone in the options block? Example: options { tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; listen-on { any; }; allow-query { localnets; }; allow-recursion { localnets; }; allow-query-cache { localnets; }; allow-transfer { localhost; }; listen-on-v6 { any; }; response-policy { zone "rpz-google"; }; };
There has been a thread at help.univention.com, too: https://help.univention.com/t/wie-funktioniert-der-dns-forwarder/9464
It would be helpful in situations with certificates and public hostnames, too. Thus, a hostname (ie server.public.external) could point to an internal hostname and prevent very common issues with certificates!
For a customer issue needing to overwrite the default UCS reverse zone this would have been helpful.