Settng up a blacklist

Håkan Franzén hakan.franzen at oxelosund.se
Tue May 18 08:38:31 UTC 2004 

I made a small script you can use thats add domains you dont want your 
clients to resolv to.
Feel free to use it.
It works without any modification under redhat 7.8.9. or fedora c1.. other 
unix/linx will need small modifications.

script can be better to just reload the zone thats been added but it works 
as it is, a full restart of name service.. takes about 2 sec soo.. :)

Run script as root.



echo "Enter domain you want to block (ex. microsoft.com) (just press 
return to Exit)"
echo -n "Domain: "
read domain
 if [ "$domain" = "" ]; then
 echo "okey.... cya another time then.."
 exit 1

  else
 echo
fi

finnsdenredan=`grep $domain /tmp/blockeddomainstmp`
if [ "$finnsdenredan" = '"'$domain'"' ]; then

 echo 
"--------------------------------------------------------------------"
 echo "YOU HAVE ALLREADY BLACKLISTED DOMAIN: $domain Try again.."
 exit 1

     else
        echo 
"--------------------------------------------------------------------"
        echo " "
        echo " "
fi

echo "checking your domain...".

host www.$domain >/tmp/finnspainternet
finnspainternet=`grep "has address" /tmp/finnspainternet -o -m1`

if [ "$finnspainternet" = "has address" ]; then

host $domain
 echo "Domain looks valid... Adding it to your black list domains.."
 echo "Making a backup of /etc/named.conf i /root"
cp -f /etc/named.conf /root/named.conf_BACKUP
echo backup done....
echo '//AUTO-ADDED WITH Hakans Blacklist-script'>>/etc/named.conf
echo 'zone "'$domain'"'>>/etc/named.conf
echo        'in {'>>/etc/named.conf
echo        'type master;'>>/etc/named.conf
echo        'file "blockerade.zone";'>>/etc/named.conf
echo        'allow-update { none; };'>>/etc/named.conf
echo '};'>>/etc/named.conf
echo >>/etc/named.conf
echo
echo $domain added into /etc/named.conf
echo
echo "Restarting name server."
echo
service named restart
echo
echo The ping should goto 127.0.0.1 (localhost, or no reslolve) if it was 
added correct.
ping -c1 "www.$domain"
 else
  echo " the domain: $domain is not there on Internet yet.... Try again"

fi
echo 
"------------------------------------------------------------------------------------"
echo "Script av Håkan Franzen / Oxelösunds kommun"
echo 
"------------------------------------------------------------------------------------"


;----> END OF SCRIPT!!!



This is the Zone file that the blacklisted domain will resolve to: 
/var/named/blockerade.zone

$TTL 86400
@       IN      SOA     YOUR.NAME.SERVER. hostmaster.YOUR.NAME.SERVER. (
                        200405143       ; serial, todays date
                        14400           ; refresh, seconds
                        7200            ; retry, seconds
                        604800          ; expire, seconds
                        86400           ; minimum, seconds
                         )
                TXT     "Blacklist zone"
                NS      YOUR.NAME.SERVER.
localhost       A       127.0.0.1
www             A       127.0.0.1



When you using the script  your named.conf will look like this at the end 
when you add domain:

//AUTO-ADDED WITH Håkans Blockscript
zone "hotbar.com"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};

//AUTO-ADDED WITH Håkans Blockscript
zone "lunarstorm.dk"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};

//AUTO-ADDED WITH Håkans Blockscript
zone "skunk.se"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};

//AUTO-ADDED WITH Håkans Blockscript
zone "apelsin.nu"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};

//AUTO-ADDED WITH Håkans Blockscript
zone "123spill.com"
in {
type master;
file "blockerade.zone";
allow-update { none; };
};



If you have problems feel free to email me.. I help ya..

// Håkan Franzen
// IT-Tech Oxelösunds kommun
// Tel: +46-(0)155-38188 / +46-(0)70-5763140
--------------------------------------------------------------------------------
"Nothing would please me more than being able
to hire ten programmers and deluge the hobby market
with good software." -- Bill Gates 1976

....We are still waiting




Kevin Darcy <kcd at daimlerchrysler.com>
Sänt av: bind-users-bounce at isc.org
2004-05-18 02:44
 
        Till:   comp-protocols-dns-bind at isc.org
        Kopia: 
        Ärende: Re: Settng up a blacklist


Daniel Rudy wrote:

>Hello,
>
>                I've been thinking of setting up a DNS blacklist to block 
certian
>websites from being accessed.  How does one set this up, and is it 
feasible?
> 
>
It's an ugly hack, IMO. Better to use a web proxy and block it there.

If you _must_ do this in DNS, I understand it involves defining each 
name that you want to block as a separate DNS zone on *all* of your 
servers which are used for resolving website names.

- Kevin

More information about the bind-users mailing list