Settng up a blacklist
/dev/rob0
rob0 at gmx.co.uk
Tue May 18 03:17:38 UTC 2004
[I missed the OP when it came up]
> Daniel Rudy wrote:
> >Hello,
> >
> > I've been thinking of setting up a DNS blacklist to block certian
> >websites from being accessed. How does one set this up, and is it
> > feasible?
Google searches are feasible!
http://groups.google.com/groups?selm=bv6hol%243tk%241%40sf1.isc.org&output=gplain
Look at the whole thread. In it I tell you how I do just that. (Kevin
was in on that thread, too.)
On Monday 17 May 2004 19:44, Kevin Darcy wrote:
> It's an ugly hack, IMO. Better to use a web proxy and block it there.
This is probably true too. :)
> If you _must_ do this in DNS, I understand it involves defining each
> name that you want to block as a separate DNS zone on *all* of your
> servers which are used for resolving website names.
That's correct, but it's more feasible than you make it sound. I use a
single shared "null.zone" file for all, and each zone is a one-liner in
my /etc/named.blacklist (brought in as an include in named.conf.)
The master server sets a TXT record on its main domain whenever the
configuration changes. A cron job running on slaves checks this TXT
record against the previous value, and when it's different, it wget's
the updated named.blacklist from the master and does "rndc reload".
I even paid for development of a Webmin module to provide a simple,
happy pointy-clicky interface to all this.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the bind-users
mailing list