Custom DNS Filtering Plugin in BIND 9

Ondřej Surý ondrej at isc.org
Wed Mar 19 15:05:29 UTC 2025 

Michael,

you can hardly create a static list from all of the domains that can possibly exists.

I do understand the usefulness of dynamic classification.

There’s just not a straightforward interface for it now. Somebody will have to invest into writing this :shrug:

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 19. 3. 2025, at 21:51, Michael De Roover <isc at nixmagic.com> wrote:
> 
> On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote:
>> Hello,
>> 
>> Thank you for your response.
>> 
>> I have a domain categorization program written in C that dynamically
>> determines the risk level of a queried domain.
>> I need to integrate this categorization logic into a BIND 9 plugin that:
>> 
>>   - Calls the categorization function to analyze each incoming DNS query.
>>   - Modifies the DNS response based on the categorization result:
>>      - If the domain is categorized as high risk, return a custom IP
>>      address (e.g., 192.168.1.100) instead of resolving the query.
>>      - Otherwise, allow the query to proceed to the upstream DNS resolver
>>      as usual.
>>   -
>> 
>> I think I can't do this with the RPZ.
>> 
>> Best regards,
>> Monika
> 
> Hi Monika,
> 
> If it's output from a program, you'll probably want the zone to dynamically
> respond to updates yes... There are two ways I could think of going about
> this.
> 
> The first one is using static zone files, and having your program build zone
> files as needed, then pushing them into the server and restarting BIND. This is
> how I do it for my zones, albeit not very real-time at all. I guess it could
> work if the updates are done only a few times a day.
> 
> The second one is to use RPZ alongside dynamic DNS updates. I haven't done
> that in my networks, you'll have to look that up or ask someone else. But with
> that, I could imagine that it would allow your program to very quickly push
> new records based on its findings.
> 
> That said though, where is this program running? For DNS monitoring, a good
> vantage point would be the DNS server itself running tcpdump and/or Wireshark
> on port 53 (both TCP and UDP). Meanwhile for traffic in general, the gateway or
> a forward proxy server may be able to give better results (but encrypted traffic
> would be a pain to deal with).
> 
> --
> Met vriendelijke groet,
> Michael De Roover
> 
> Mail: isc at nixmagic.com
> Web: michael.de.roover.eu.org
> 
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list