No description, website, or topics provided.

AWS AMI for easy experimenting with DNS Firewalls & Response Rate Limiting

The purpose of this git repository is to encourage the use of Response Policy Zones feature of BIND by making it easy to start up your own instance on your own AWS account and

  • Immediately test and use RPZ2 with an already-working config.
  • Helper scripts to assist in maintaining white and block zones are included in this repository.
  • Facilitate folks providing free or commercial RPZones to each other.

Resources about the Response Policy Zones feature of BIND are provided here.

For reasons of security, we detail how the instance was created in the file named

If you don't want to use DNS Firewall features and are just trying out Response Rate Limiting, don't do the configuration below. Just go here.

First time config for DNS Firewall use:

Request the AMI to be shared with your AWS account by sending your AWS account number and identifying yourself to @secure411dotorg

Or search community AMIs for the term rpzone

Start the instance up on your own AWS account which will use your own ssh key and security group.

ssh into the instance

sudo /etc/init.d/bind9 stop stop BIND in case it is running

sudo /usr/sbin/rndc-confgen -a generate a new rndc.key unique to your instance

grep -l CONFIGME /etc/bind/named will list the files you need to edit

To restart BIND: sudo /etc/init.d/bind9 start

If BIND does not start, check /var/log/syslog to find out what you need to fix.

Send test queries

Example white and block lists

A working config with D.R.O.P. as blocklist and the top 5000 sites from Alexa as the whitelist is provided.

Outline of the list updating process:

Data is refreshed by a script on a crontab

/opt/rpzone/scripts$ ./

New data is detected by polling on crontab for a new data flag file.

You can lower the propagation delay and elminated zone reloading for your own zones by using the nsupdate command. See Minimize Propagation Delay for High Update Frequency Blocklists

See also:


BIND is very picky about syntax. Always check the log file after altering a config file, restarting BIND, or using rndc reconfig. rndc reconfig will not show an error message for syntax issues with a config file. The log will show the error. Look at running processes such as by using ps auxfwww1 to see if named is in the process list.

Port 53 TCP needs to be open for IXFR. allow-query must include slaves because they will send an SOA query.