[debian] Installation d’un DNS menteur avec bind9 rpz

Install the server with apt:

apt-get install bind9

Edit config file:

nano /etc/bind/named.conf.options

Add response-policy directive with your zone:

response-policy { zone "loppsi.gouv.fr"; };

Edit config file:

nano /etc/bind/named.conf.local

Create your zone:

zone "loppsi.gouv.fr" {
      type master;
      file "/etc/bind/db.loppsi.gouv.fr";
      allow-query {none;};

Create config file:

nano /etc/bind/db.loppsi.gouv.fr

Add your rules:

; Beginning of the zone, some mandatory values

@   SOA gueant.interieur.gouv.fr. root.elysee.fr (2011031800 2h 30m 30d 1h)
    NS gueant.interieur.gouv.fr.

; Filtering rules
; NXDOMAIN will be sent back
google-analytics.com         CNAME   .
*.google-analytics.com         CNAME   .

; NOERROR, ANSWER=0 will be sent back
enlarge-your-penis.biz           CNAME   *.
*.enlarge-your-penis.biz         CNAME   *.

; Replace the address by ours
; Since we provide only a AAAA, A queries will get NOERROR,ANSWER=0
ads.example.net             AAAA 2001:db8::1

Restart the server:

service bind9 restart

Testing with dig:

# Simple with default dns
dig google-analytics.com

# Choose DNS server
dig @ google-analytics.com

# Choose DNS server and port
dig @ -p 9053 google-analytics.com

Source : http://www.bortzmeyer.org/rpz-faire-mentir-resolveur-dns.html