Settng up a blacklist
Håkan Franzén
hakan.franzen at oxelosund.se
Tue May 18 08:38:31 UTC 2004
I made a small script you can use thats add domains you dont want your
clients to resolv to.
Feel free to use it.
It works without any modification under redhat 7.8.9. or fedora c1.. other
unix/linx will need small modifications.
script can be better to just reload the zone thats been added but it works
as it is, a full restart of name service.. takes about 2 sec soo.. :)
Run script as root.
echo "Enter domain you want to block (ex. microsoft.com) (just press
return to Exit)"
echo -n "Domain: "
read domain
if [ "$domain" = "" ]; then
echo "okey.... cya another time then.."
exit 1
else
echo
fi
finnsdenredan=`grep $domain /tmp/blockeddomainstmp`
if [ "$finnsdenredan" = '"'$domain'"' ]; then
echo
"--------------------------------------------------------------------"
echo "YOU HAVE ALLREADY BLACKLISTED DOMAIN: $domain Try again.."
exit 1
else
echo
"--------------------------------------------------------------------"
echo " "
echo " "
fi
echo "checking your domain...".
host www.$domain >/tmp/finnspainternet
finnspainternet=`grep "has address" /tmp/finnspainternet -o -m1`
if [ "$finnspainternet" = "has address" ]; then
host $domain
echo "Domain looks valid... Adding it to your black list domains.."
echo "Making a backup of /etc/named.conf i /root"
cp -f /etc/named.conf /root/named.conf_BACKUP
echo backup done....
echo '//AUTO-ADDED WITH Hakans Blacklist-script'>>/etc/named.conf
echo 'zone "'$domain'"'>>/etc/named.conf
echo 'in {'>>/etc/named.conf
echo 'type master;'>>/etc/named.conf
echo 'file "blockerade.zone";'>>/etc/named.conf
echo 'allow-update { none; };'>>/etc/named.conf
echo '};'>>/etc/named.conf
echo >>/etc/named.conf
echo
echo $domain added into /etc/named.conf
echo
echo "Restarting name server."
echo
service named restart
echo
echo The ping should goto 127.0.0.1 (localhost, or no reslolve) if it was
added correct.
ping -c1 "www.$domain"
else
echo " the domain: $domain is not there on Internet yet.... Try again"
fi
echo
"------------------------------------------------------------------------------------"
echo "Script av Håkan Franzen / Oxelösunds kommun"
echo
"------------------------------------------------------------------------------------"
;----> END OF SCRIPT!!!
This is the Zone file that the blacklisted domain will resolve to:
/var/named/blockerade.zone
$TTL 86400
@ IN SOA YOUR.NAME.SERVER. hostmaster.YOUR.NAME.SERVER. (
200405143 ; serial, todays date
14400 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ; minimum, seconds
)
TXT "Blacklist zone"
NS YOUR.NAME.SERVER.
localhost A 127.0.0.1
www A 127.0.0.1
When you using the script your named.conf will look like this at the end
when you add domain:
//AUTO-ADDED WITH Håkans Blockscript
zone "hotbar.com"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};
//AUTO-ADDED WITH Håkans Blockscript
zone "lunarstorm.dk"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};
//AUTO-ADDED WITH Håkans Blockscript
zone "skunk.se"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};
//AUTO-ADDED WITH Håkans Blockscript
zone "apelsin.nu"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};
//AUTO-ADDED WITH Håkans Blockscript
zone "123spill.com"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};
If you have problems feel free to email me.. I help ya..
// Håkan Franzen
// IT-Tech Oxelösunds kommun
// Tel: +46-(0)155-38188 / +46-(0)70-5763140
--------------------------------------------------------------------------------
"Nothing would please me more than being able
to hire ten programmers and deluge the hobby market
with good software." -- Bill Gates 1976
....We are still waiting
Kevin Darcy <kcd at daimlerchrysler.com>
Sänt av: bind-users-bounce at isc.org
2004-05-18 02:44
Till: comp-protocols-dns-bind at isc.org
Kopia:
Ärende: Re: Settng up a blacklist
Daniel Rudy wrote:
>Hello,
>
> I've been thinking of setting up a DNS blacklist to block
certian
>websites from being accessed. How does one set this up, and is it
feasible?
>
>
It's an ugly hack, IMO. Better to use a web proxy and block it there.
If you _must_ do this in DNS, I understand it involves defining each
name that you want to block as a separate DNS zone on *all* of your
servers which are used for resolving website names.
- Kevin
More information about the bind-users
mailing list