Using bind and ad blocking
Olliver Schinagl
oliver at schinagl.nl
Fri Feb 5 21:28:59 UTC 2016
Hey Mark,
On 23-01-16 23:13, Mark Andrews wrote:
> In message <56A3E6C7.5020505 at schinagl.nl>, Olliver Schinagl writes:
>> Hi list,
>>
>> recently I updated to bind-9.10 and noticed that an illegal setup was
>> finally disallowed. Good things, but I (and others I'm sure) kind of
>> miss-used this ability. With the change however, I am now looking for
>> help on restoring similar behavior. Let me explain.
>>
>> As we all know, ads are everywhere and can be quite troublesome. Because
>> of this I block many known adservers internally via bind. To obtain this
>> list of adservers, I use http://pgl.yoyo.org/adservers/ which generates
>> a file with the following syntax: zone "example.com" { type master;
>> notify no; file "pri/null.zone"; }; The Null zone looks as follows:
>>
>> ; BIND db file for ad servers - point all addresses to an invalid IP
>> $TTL 864000 ; ten days
>>
>> @ IN SOA ns0.example.net. hostmaster.example.net. (
>> 2008032800 ; serial number YYMMDDNN
>> 288000 ; refresh 80 hours
>> 72000 ; retry 20 hours
>> 8640000 ; expire 100 days
>> 864000 ) ; min ttl 10 day
>> NS ns0.example.net.
>>
>> A 0.0.0.0
>>
>> * IN A 0.0.0.0
>>
>> Obviously with this and the many (generated) zones having 1 dummy zone
>> sounds reasonable logically.
>>
>> These adservers are included in my 'internal' view as such:
>>
>> view "internal" {
>> match-clients { internal; trusted; };
>> recursion yes;
>>
>> include "/etc/bind/dlz_internal.conf";
>>
>> # include "/etc/bind/adservers.conf";
>> };
>>
>> Adservers.conf being commented here as bind now fails on this.
>>
>> My question is, what is a good method to do this with the latest bind. I
>> tried to find some way to disable updates or mark the view/include as
>> 'read-only' but have not found this out as of yet.
>>
>> Any tips and tricks appreciated!
>>
>> Olliver
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> Presumably you have a zone which which has pri/null.zone as a slave
> or you have a global/view level dynamic updating of all master zones
> turned on as just sharing a read-only master zone is still permitted.
I have searched but haven't found how this is done. Can you show me an
example or keywords I can search for?
I do think I have enabled dynamic updating of all master zones, but I
cannot find the flag to change this on a per zone or per view basis.
My main 'view' looks like this:
view "internal" {
match-clients { internal; trusted; };
recursion yes;
include "/etc/bind/local.conf";
include "/etc/bind/dlz_internal.conf";
include "/etc/bind/adservers.conf";
};
Where adservers.conf looks like:
zone "101com.com" { type master; notify no; file "pri/null.zone"; };
zone "101order.com" { type master; notify no; file "pri/null.zone"; };
etc ...
>
> Mark
More information about the bind-users
mailing list