using bind for blacklist of domains

[Kevin Darcy]

dhottinger at harrisonburg.k12.va.us wrote:
> Quoting Kevin Darcy <kcd at chrysler.com>:
>
>> dhottinger at harrisonburg.k12.va.us wrote:
>>> Quoting Doug McIntyre <merlyn at dork.geeks.org>:
>>>
>>>> In comp.protocols.dns.bind you write:
>>>>> Has anyone used their internal dns server for blacklisting? I would
>>>>> like to specifically block access to domains that are spreading
>>>>> malware. I was grepping around the internet and fell upon this
>>>>> website http://www.malwaredomains.com/, but dont seem to be able to
>>>>> get my internal name server to like any of the configs I push on it.
>>>>> thanks for any advice that might be offered.
>>>>
>>>> It should be easy enough to take the list, parse it into config line
>>>> items pointing to a single zone file that just maps * to 127.0.0.1 or
>>>> something.
>>>>
>>>> Or you could just use OpenDNS?
>>>>
>>>> (Not that I use them, but thats one of the free features they 
>>>> support).
>>>>
>>>
>>> Sounds good and that is what I thought (except for OpenDNS), however 
>>> I created a zone file named blacklist.host and added an entry into 
>>> my named.conf file that said
>>> zone "00.devoid.us" {
>>> type master;
>>> file "blockeddomains.host";
>>> };
>>>
>>> When I restart named I get the following error message in my message 
>>> logs:
>>>
>>> Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no 
>>> current owner name
>>> Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file 
>>> blockeddomains.host: no owner
>>> I actually have 8 existing zones on this server and they each have a 
>>> root server listed in their zone files. Do I need to have a root 
>>> server in this one?
>>>
>> This isn't an architecture problem, it's a syntax error in the zone 
>> file.
>>
>> If you post the contents of the file, up to line 9, we should be able
>> to spot the syntax error and explain to you how to fix it.
>>
>> - Kevin
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> Contents of blockeddomains.host:
> $TTL 86400 ; one day
>
> @ IN SOA ns.hhs.harrisonburg.k12.va.us
> (
> 2004061000 ; serial number 09032401
> 28800 ; refresh 8 hours
> 7200 ; retry 2 hours
> 864000 ; expire 10 days
> 86400 ) ; min ttl 1 day
> NS ns1.harrisonburg.k12.va.us.
> NS ns2.harrisonburg.k12.va.us.
>
> A 0.0.0.0
>
> * IN A 0.0.0.0
Before the all-numeric fields, your SOA record needs both an MNAME field 
and an RNAME field. MNAME (which you have) should be the name of the 
primary master; but if you fully-qualify the name you should 
dot-terminate it, to avoid the zone origin ("00.devoid.us") from being 
appended. RNAME is a standard SMTP contact email address for the zone, 
e.g. admin at harrisonbug.k12.va.us, with the @ in the email address 
replaced with a dot. As with MNAME, make sure to dot-terminate RNAME too 
if the domain part of the email address is fully-qualified. Your SOA 
should have total of 7 fields, you're only showing 6; RNAME is missing. 
A syntactically-better SOA might look like

@ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. (
2004061000
28800
7200
864000
86400
)

Beyond that, I can't really tell because of the way email gets 
reformatted, but if you have any whitespace before "@" or "*", that's 
going to be a problem; the opening parenthesis should also be on the 
first SOA line.

Last and least, the "min ttl" comment is misleading. The last field of 
the SOA record is now used as the "negative caching TTL", not "minimum" 
in any sense of the word. The comment should probably reflect that.

Note that you can use the named-checkzone utility -- included in the 
BIND distribution -- to check a zone file for syntax errors, without 
actually trying to get named to load the file.
- Kevin