Custom DNS Filtering Plugin in BIND 9

Mónika Kiss kozmamonika95 at gmail.com
Wed Mar 19 14:40:28 UTC 2025 

Hello,

Thank you for your response.

I have a domain categorization program written in C that dynamically
determines the risk level of a queried domain.
I need to integrate this categorization logic into a BIND 9 plugin that:

   - Calls the categorization function to analyze each incoming DNS query.
   - Modifies the DNS response based on the categorization result:
      - If the domain is categorized as high risk, return a custom IP
      address (e.g., 192.168.1.100) instead of resolving the query.
      - Otherwise, allow the query to proceed to the upstream DNS resolver
      as usual.
   -

I think I can't do this with the RPZ.

Best regards,
Monika

On Wed, Mar 19, 2025 at 4:19 PM Michael De Roover <isc at nixmagic.com> wrote:

> On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote:
>
> > Maybe I'm not understanding all the nuances of the stated goal but
> doesn't
>
> > RPZ handle this?
>
> Was my first thought as well, works fine for me.
>
> In named.conf:
>
> options {
>
>     // RPZ zone
>
>     // Source: https://deteque.com/m3aawg-bind-training/named.conf
>
>     response-policy {
>
>         zone "rpz.local";
>
>     };
>
> };
>
> // Response Policy Zone
>
> zone "rpz.local" {
>
>     type primary;
>
>     file "/path/to/rpz.local.db";
>
> };
>
> ----
>
> In rpz.local.db:
>
> $TTL 300
>
> @       IN      SOA     localhost. admin.localhost. (
>
>                         1       ; Serial number
>
>                         60      ; Refresh every minute
>
>                         60      ; Retry every minute
>
>                         43200   ; Expire in 5 days
>
>                         60 )    ; Negative cache TTL 1 minute
>
>         IN      NS      LOCALHOST.
>
> ; Examples
>
> example.net                     IN      CNAME   localhost.
>
> ----
>
> Note that the public domain name records to be redirected via RPZ cannot
> have a trailing dot.
>
> --
>
> Met vriendelijke groet,
>
> Michael De Roover
>
> Mail: isc at nixmagic.com
>
> Web: michael.de.roover.eu.org
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250319/bf8e232e/attachment-0001.htm>

More information about the bind-users mailing list