Custom DNS Filtering Plugin in BIND 9

Michael De Roover isc at nixmagic.com
Thu Mar 20 13:58:49 UTC 2025 

On Wednesday, March 19, 2025 4:05:29 PM CET you wrote:
> Michael,
> 
> you can hardly create a static list from all of the domains that can
> possibly exists.
> 
> I do understand the usefulness of dynamic classification.
> 
> There’s just not a straightforward interface for it now. Somebody will have
> to invest into writing this :shrug:
> 
> Ondrej

Hi Ondrej, I commend your productivity! I saw your work in both BIND-Users and DNSOP. 
No joke, we need more people like this, especially right now. Having had a productivity 
boost on the same day, fist-bump!

To be fair though, not all domains have to be recorded into an RPZ to be useful. For me 
right now, it's only a couple of domains related to Facebook, YouTube, Windows Update, 
and Tor. Wildcards being allowed, means that this zone is only 42 lines long.

> Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to add the 
classification to the message processing and then the RPZ processing could read the 
classification and take an action?

> But that’s quite a huge chunk of work.

About that... I like the idea, but can you guarantee that it stays within BIND? How would 
you envision such traffic flow from threat analysis to zone inclusion? Would such additions 
to the protocol require standardization in DNSOP?

The way I envision it is as follows:

Suppose that a request is made to malicious01.nixmagic.com. Sentinel node on 
ns1.internal.nixmagic.com makes a report, and wraps it up into an intervention package. 
This is to be pushed into the RPZ zone, or whatever else is responsible for DNS rewrite 
through internal DNS - BIND here.

So that sentinel program made its call, classified it locally, and pushed new records 
accordingly. Does the DNS server and its zone file still need to know more than that? If so, 
how does that affect the protocol performed between sentinel and nameserver, as well as 
the protocol performed between nameserver and future clients? If not, could it redirect to 
different destinations based on such classification data?

My concern here is mostly with the protocol, and where these databases are held. My 
belief is that the DNS server does not need to know about the classification details of such 
a threat. That's the responsibility of the sentinel to determine, and keep records of.

That being said, I do like the idea of exploring this into further detail. As you may be able 
to tell by now, I have explored the idea of a sentinel as an SMTP edge before. Provided 
sufficient actionable rationale and/or code relevant to BIND, would ISC be willing to 
collaborate on such an ordeal?

> If this is something that is going to be open-source and the whole BIND 9 users 
community would benefit from this, I would love to hear and see more.

Out of curiosity, do you think that the code I wrote for building zone files may be useful 
here? I committed it locally as mkbind, similar in nature to keama. However, the JSON 
syntax is built only against my own infrastructure, which is not as complex as that of 
other members on this and the DNSOP list. Most importantly, it still deals with /24 only. 
Binary conversion to handle classless.. it's a roadmap item, but one I'd rather push down 
until needed. Nonetheless, it can handle zones and has several logic items for 
deduplication (e.g. A/PTR, mobility between zone suffixes, etc).

-- 
Met vriendelijke groet,
Michael De Roover

Mail: isc at nixmagic.com
Web: michael.de.roover.eu.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250320/1051483a/attachment.htm>

More information about the bind-users mailing list