DNS Queries Using API - BIND9

Vadim Pavlov pvm_job at mail.ru
Mon May 11 06:18:29 UTC 2020


Hi Blason,

There are open source clients for iOS (DNSCloak) and Android (Intra) which use DoH (you will need to install a DoH proxy) but I’m not aware about free clients for Mac/Windows/Linux (may be because they have embedded clients which can be configured to use any 3rd party DNS :). 
The main issue that bind does’t provide an authentication method. So in any case you somehow should manage the access to the DNS server vice versa it will became open resolver and will be used for DDoS attacks.

I would recommend you a few options here:
- Use a trial for any “paid” solutions. E.g. Infoblox offers 90 days free trial - i may be enough to pass the WFH stage;
- Require VPN back to your HQ and provision to automatically establish them;
- Install bind on these laptops and push RPZ feeds directly to them (zone transfer can be authenticated by using TSIG Keys). You may see issues if the feeds size  >1m rules.
- Provide your employees VMs (if they have servers a home) or even Raspberry Pi to protect the whole home network (actually it is important). On my ioc2rpz community (https://ioc2rpz.net <https://ioc2rpz.net/>) you can take a look on RpiDNS installation script. It installs ICS Bind and provision my community RPZ feeds (you may replace it by your feeds), OpenResty for admin interface and a walled garden page + provision RSyslog. On Raspberry Pi Zero the installation takes about 10 minutes (demo video - https://www.youtube.com/watch?time_continue=2&v=942yKOGAwbU&feature=emb_logo <https://www.youtube.com/watch?time_continue=2&v=942yKOGAwbU&feature=emb_logo>).


BR,
Vadim
> On May 10, 2020, at 21:14, Blason R <blason16 at gmail.com> wrote:
> 
> Hi Folks,
> 
> I am seeking solution for our below problem and wanted to know if any open source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.
> 
> Is there any solution using -
> API by which we can route the queries for user who are on Internet
> Or any client utility which can be installed on user's desktop/laptop where we can embed our BIND RPZ server and then route the queries to internal one using NAT?
> Or any other alternative community can suggest?
> 
> This is just like Cisco Umbrella or any other Paid DNS firewall solutions but seeking if we can have any open source option?
> 
> Thanks & Regards
> Blason R
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200510/3804744e/attachment.htm>


More information about the bind-users mailing list