<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I wrote a closed source filtering plugin for BIND and I found
that the #1 issue is that there is no defined interface between a
plugin and BIND internal data structures.<br>
Since data structures (may) have small changes between patch
releases, this implies that with <i>every</i> release of BIND,
the plugin <i>must</i> be recompiled and a new release of the
plugin must be made to ensure that the plugin works correctly when
accessing or manipulating the data structures.<br>
There is no issue when a plugin is part of BIND, e.g. the
filter-aaaa plugin, but for any other (open source or not) plugin
one must recompile the plugin for every patch release and make
sure that the plugin version and bind version match exactly.<br>
It would be nice for all authors of plugins that this issue is
resolved/improved.<br>
</p>
<p>Marcus</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 20/03/2025 13:58, Michael De Roover
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:13509339.g4cqq1Pvbo@workstation.vm.ideapad.lan">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">On
Wednesday, March 19, 2025 4:05:29 PM CET you wrote:</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
Michael,</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
you can hardly create a static list from all of the domains that
can</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
possibly exists.</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
I do understand the usefulness of dynamic classification.</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
There’s just not a straightforward interface for it now.
Somebody will have</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
to invest into writing this :shrug:</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">>
Ondrej</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Hi
Ondrej, I commend your productivity! I saw your work in both
BIND-Users and DNSOP. No joke, we need more people like this,
especially right now. Having had a productivity boost on the
same day, fist-bump!</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">To be
fair though, not all domains have to be recorded into an RPZ to
be useful. For me right now, it's only a couple of domains
related to Facebook, YouTube, Windows Update, and Tor. Wildcards
being allowed, means that this zone is only 42 lines long.</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span
style="color:#d3dae3;"><span style="background-color:#151d2b;"><span
style="font-family:Noto Sans;">> Thinking aloud -
perhaps, we can extend the plugin API (and RPZ) in a way
to add the classification to the message processing and
then the RPZ processing could read the classification and
take an action?</span></span><br>
</span></p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span
style="background-color:#151d2b;">> But that’s quite a huge
chunk of work.</span></p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">About
that... I like the idea, but can you guarantee that it stays
within BIND? How would you envision such traffic flow from
threat analysis to zone inclusion? Would such additions to the
protocol require standardization in DNSOP?</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">The
way I envision it is as follows:</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Suppose
that a request is made to malicious01.nixmagic.com. Sentinel
node on ns1.internal.nixmagic.com makes a report, and wraps it
up into an intervention package. This is to be pushed into the
RPZ zone, or whatever else is responsible for DNS rewrite
through internal DNS - BIND here.</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">So
that sentinel program made its call, classified it locally, and
pushed new records accordingly. Does the DNS server and its zone
file still need to know more than that? If so, how does that
affect the protocol performed between sentinel and nameserver,
as well as the protocol performed between nameserver and future
clients? If not, could it redirect to different destinations
based on such classification data?</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">My
concern here is mostly with the protocol, and where these
databases are held. My belief is that the DNS server does not
need to know about the classification details of such a threat.
That's the responsibility of the sentinel to determine, and keep
records of.</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">That
being said, I do like the idea of exploring this into further
detail. As you may be able to tell by now, I have explored the
idea of a sentinel as an SMTP edge before. Provided sufficient
actionable rationale and/or code relevant to BIND, would ISC be
willing to collaborate on such an ordeal?</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><span
style="background-color:#151d2b;"><span style="color:#d3dae3;">>
If this is something that is going to be open-source and the
whole BIND 9 users community would benefit from this, I
would love to hear and see more.</span></span></p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Out
of curiosity, do you think that the code I wrote for building
zone files may be useful here? I committed it locally as mkbind,
similar in nature to keama. However, the JSON syntax is built
only against my own infrastructure, which is not as complex as
that of other members on this and the DNSOP list. Most
importantly, it still deals with /24 only. Binary conversion to
handle classless.. it's a roadmap item, but one I'd rather push
down until needed. Nonetheless, it can handle zones and has
several logic items for deduplication (e.g. A/PTR, mobility
between zone suffixes, etc).</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">-- </p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Met
vriendelijke groet,</p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Michael
De Roover</p>
<br>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Mail:
<a class="moz-txt-link-abbreviated" href="mailto:isc@nixmagic.com">isc@nixmagic.com</a></p>
<p
style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Web:
michael.de.roover.eu.org</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>