DNS Response Policy Zones (RPZ) is an open and vendor-neutral standard for the interchange of DNS firewall configuration information. It is a standard feature of BIND 9, and is expected to be supported by other (non-BIND) name servers. By utilizing it we can easily build something like Pi-hole.

RPZ file generation⌗

Let’s generate RPZ file with hosts we want to filter using HOSTS from StevenBlack and Python.

Configuration⌗

RPZ zone files can be added to named.conf.options as:

zone "rpz-filter" { type master; file "/etc/bind/rpz-filter.db"; };
options {
    response-policy { zone "rpz-filter"; };
};

Check and reload configuration:

named-checkconf
named-checkzone rpz /etc/bind/rpz-filter.db
service bind9 reload

Links⌗

DNS Response Policy Zones (RPZ) Specification
BIND 9 Configuration Reference

Using BIND 9 RPZ as DNS firewall

RPZ file generation⌗

Configuration⌗

Links⌗