Settng up a blacklist

Kevin Darcy kcd at daimlerchrysler.com
Tue May 18 20:23:32 UTC 2004 

/dev/rob0 wrote:

>[I missed the OP when it came up]
>  
>
>>Daniel Rudy wrote:
>>    
>>
>>>Hello,
>>>
>>>	I've been thinking of setting up a DNS blacklist to block certian
>>>websites from being accessed.  How does one set this up, and is it
>>>feasible?
>>>      
>>>
>
>Google searches are feasible!
>   http://groups.google.com/groups?selm=bv6hol%243tk%241%40sf1.isc.org&output=gplain
>Look at the whole thread. In it I tell you how I do just that. (Kevin 
>was in on that thread, too.)
>
>On Monday 17 May 2004 19:44, Kevin Darcy wrote:
>  
>
>>It's an ugly hack, IMO. Better to use a web proxy and block it there.
>>    
>>
>
>This is probably true too. :)
>
>  
>
>>If you _must_ do this in DNS, I understand it involves defining each
>>name that you want to block as a separate DNS zone on *all* of your
>>servers which are used for resolving website names.
>>    
>>
>
>That's correct, but it's more feasible than you make it sound. I use a 
>single shared "null.zone" file for all, and each zone is a one-liner in 
>my /etc/named.blacklist (brought in as an include in named.conf.)
>
>The master server sets a TXT record on its main domain whenever the 
>configuration changes. A cron job running on slaves checks this TXT 
>record against the previous value, and when it's different, it wget's 
>the updated named.blacklist from the master and does "rndc reload".
>
If all the zone definitions are identical except for the zone name and 
possibly the zone file name, why not just have a "special" DNS zone with 
one record per zone-to-be-slaved? The replication is then automatic, 
could be -- depending on your configuration -- incremental (IXFR) and, 
if PTR records are used instead of TXT records, could also benefit from 
label compression. The slave can then check periodically whether its 
slave copy of the zone has changed, and, if so, generate the updated 
zone definitions based on some sort of template. I'm not sure what value 
is gained by using wget when DNS already has a replication mechanism 
built into it...

                                                                         
                                       - Kevin

More information about the bind-users mailing list