Custom DNS Filtering Plugin in BIND 9
Petr Špaček
pspacek at isc.org
Fri Mar 21 10:38:20 UTC 2025
On 3/21/25 08:31, Mónika Kiss wrote:
> I wanted to provide some additional context and clarify a few key
> aspects of my use case:
>
> * I already maintain a large, pre-existing file containing
> comprehensive domain categorization data.
> * This file is updated externally and serves as the sole source of
> truth for categorization decisions.
> * As such, I do not wish to store any additional data within the
> plugin, memory, or any BIND-internal structures.
> * Instead, I want the plugin to dynamically query this data by calling
> my existing C program or SDK, which reads and evaluates domains in
> real time.
>
>
> Desired Behavior
>
> * On each DNS query, the plugin should:
> 1. Extract the domain from the query.
> 2. Call my categorization logic (via C function or subprocess).
> 3. Based on the result:
> o *If High Risk*: Immediately stop further resolution and
> return a custom response (e.g., a custom IP address).
> o *Otherwise*: Allow the query to continue to upstream
> resolvers as normal.
>
> * The plugin will be handling a very high volume of DNS queries, so
> performance is critical.
Sounds like filter-aaaa plugin, plus a call to an external API.
If (and that's a big IF) the 'external API' is so fast it does not
require asynchronicity it should be a copy & paste job, mostly.
If the external thing is slow and requires asynchronicity then we need
to have a proper look.
Perhaps start with copy & paste for now and we will take it from there...
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list