Custom DNS Filtering Plugin in BIND 9

[Michael De Roover]

On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote:
> Hello,
> 
> Thank you for your response.
> 
> I have a domain categorization program written in C that dynamically
> determines the risk level of a queried domain.
> I need to integrate this categorization logic into a BIND 9 plugin that:
> 
>    - Calls the categorization function to analyze each incoming DNS query.
>    - Modifies the DNS response based on the categorization result:
>       - If the domain is categorized as high risk, return a custom IP
>       address (e.g., 192.168.1.100) instead of resolving the query.
>       - Otherwise, allow the query to proceed to the upstream DNS resolver
>       as usual.
>    -
> 
> I think I can't do this with the RPZ.
> 
> Best regards,
> Monika

Hi Monika,

If it's output from a program, you'll probably want the zone to dynamically 
respond to updates yes... There are two ways I could think of going about 
this.

The first one is using static zone files, and having your program build zone 
files as needed, then pushing them into the server and restarting BIND. This is 
how I do it for my zones, albeit not very real-time at all. I guess it could 
work if the updates are done only a few times a day.

The second one is to use RPZ alongside dynamic DNS updates. I haven't done 
that in my networks, you'll have to look that up or ask someone else. But with 
that, I could imagine that it would allow your program to very quickly push 
new records based on its findings.

That said though, where is this program running? For DNS monitoring, a good 
vantage point would be the DNS server itself running tcpdump and/or Wireshark 
on port 53 (both TCP and UDP). Meanwhile for traffic in general, the gateway or 
a forward proxy server may be able to give better results (but encrypted traffic 
would be a pain to deal with).

-- 
Met vriendelijke groet,
Michael De Roover

Mail: isc at nixmagic.com
Web: michael.de.roover.eu.org