Blocking the new .zip TLD on Fedora

2023-05-20

Why:

Because it seems like it might provide some (idk) security benefits, and because it seemed like an interesting exercise, I wanted to figure out how to block any requests to a .zip url from my laptop.

How:

Trying to do so using the bind-DNS server

  1. Installing bind:

    dnf install bind

  2. Updating/Creating various Config files:

    1. Adding a zip zone to /etc/named.conf:

      // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { localhost; }; recursion yes; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; geoip-directory "/usr/share/GeoIP"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; /* nope -- pointless */ // response-policy { zone "zip"; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; // This is new: zone "zip" IN { type master; file "zip-rpz"; allow-update { none; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

    2. Added /var/named/zip-rpz:

      $TTL 1D ; default expiration time of all RRs without their own TTL value @ IN SOA ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 ) @ IN NS ns ; nameserver * IN A 127.0.0.1 ; localhost IN AAAA :: ; localhost

  3. Apply temporarily

    sudo systemctl enable named sudo service named restart resolvectl dns wlp0s20f3 127.0.0.1

    Various other commands, some useful:

    journalctl -xeu named.service dig url.zip dig example.com # ?? sudo firewall-cmd --add-service=dns --perm sudo firewall-cmd --reload # ?? sudo chgrp named -R /var/named sudo chown -v root:named /etc/named.conf sudo restorecon -rv /var/named sudo restorecon /etc/named.conf

  4. Apply persistently

    # ... [Resolve] # ... add the following line inside the [Resolve] section: DNS=127.0.0.1 # ...

    After rebooting, it now “fails” to resolve any .zip url.
    They are redirected to 127.0.0.1 (or ::) where nobody is listening…

  5. Profit