Settng up a blacklist

/dev/rob0 rob0 at gmx.co.uk
Tue May 18 03:17:38 UTC 2004


[I missed the OP when it came up]
> Daniel Rudy wrote:
> >Hello,
> >
> >	I've been thinking of setting up a DNS blacklist to block certian
> >websites from being accessed.  How does one set this up, and is it
> > feasible?

Google searches are feasible!
   http://groups.google.com/groups?selm=bv6hol%243tk%241%40sf1.isc.org&output=gplain
Look at the whole thread. In it I tell you how I do just that. (Kevin 
was in on that thread, too.)

On Monday 17 May 2004 19:44, Kevin Darcy wrote:
> It's an ugly hack, IMO. Better to use a web proxy and block it there.

This is probably true too. :)

> If you _must_ do this in DNS, I understand it involves defining each
> name that you want to block as a separate DNS zone on *all* of your
> servers which are used for resolving website names.

That's correct, but it's more feasible than you make it sound. I use a 
single shared "null.zone" file for all, and each zone is a one-liner in 
my /etc/named.blacklist (brought in as an include in named.conf.)

The master server sets a TXT record on its main domain whenever the 
configuration changes. A cron job running on slaves checks this TXT 
record against the previous value, and when it's different, it wget's 
the updated named.blacklist from the master and does "rndc reload".

I even paid for development of a Webmin module to provide a simple, 
happy pointy-clicky interface to all this.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


More information about the bind-users mailing list