Bind and blacklist IP file
Alans
Is it possible for bind dns to check the queries, if the returned answer
is existed in a file that contains blacklisted IPs then block it?
One more thing, from where we can get/buy updated lists of categorized IPs/websites,
like Gaming, Porn, Social...?
Thanks,
Alans
Kalman Feher
On 11/10/10 1:02 PM, "Alans" <alan...@gmail.com> wrote:
>
> Hello,
>
> Is it possible for bind dns to check the queries, if the returned answer
> is existed in a file that contains blacklisted IPs then block it?
DNS RPZ may do what you want.
There is a patch on the isc.org website for 9.4,9.6 and 9.7.1-P2
Described in further detail here:
ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
and here:
http://www.isc.org/community/blog/201007/taking-back-dns-0
> One more thing, from where we can get/buy updated lists of categorized
> IPs/websites,
> like Gaming, Porn, Social...?
>
> Thanks,
> Alans
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
Alans
kind of similar to that in a small scale.
So i was wondering about Bind dns capabilities and may be third party
stuffs that could integrate with bind dns in addition to the ip/website
list.
regards,
Alans
On 10/11/2010 02:06 PM, David Peall wrote:
> Have you looked at:
> http://www.opendns.com/
>
> --
> Dave
>
> On 11 October 2010 13:02, Alans<alan...@gmail.com> wrote:
>> Hello,
>>
>> Is it possible for bind dns to check the queries, if the returned answer
>> is existed in a file that contains blacklisted IPs then block it?
>>
Lyle Giese
> Hello,
>
> Is it possible for bind dns to check the queries, if the returned answer
> is existed in a file that contains blacklisted IPs then block it?
>
> One more thing, from where we can get/buy updated lists of categorized
> IPs/websites,
> like Gaming, Porn, Social...?
>
> Thanks,
> Alans
>
>
>
some block lists to do this.
Matus UHLAR - fantomas
> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting
> kind of similar to that in a small scale.
> So i was wondering about Bind dns capabilities and may be third party
> stuffs that could integrate with bind dns in addition to the ip/website
> list.
This is NOT something BIND (or any DNS server) should do. Blocking web sites
is business for web proxies, firewalls etc. Doing this stuff at DNS level
could lead to many surprises.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
Alans
Also, i think as mentioned in Kal's email, DNS RPZ from isc is an
approach to implement these functionalities at DNS level.
We want to give individuals/customers access to their account to block
what they want to block, something similar to OpenDNS but in a small scale.
regards,
Alans
sth...@nethelp.no
> > kind of similar to that in a small scale.
> > So i was wondering about Bind dns capabilities and may be third party
> > stuffs that could integrate with bind dns in addition to the ip/website
> > list.
>
> This is NOT something BIND (or any DNS server) should do. Blocking web sites
> is business for web proxies, firewalls etc. Doing this stuff at DNS level
> could lead to many surprises.
Unfortunately, in some countries you may be required to do so. The
example I know best is, naturally, Norway.
In Norway we have what is basically a government requirement for ISPs
to block child porn domains, using a list supplied by the police. A
decent description of the system, for those of you with a reading
knowledge of Norwegian, is here:
http://no.wikipedia.org/wiki/Kripos'_barnepornofilter
This blocking is *in theory* voluntary - however, the government has
made it quite clear that unless a "sufficiently high" number of the
bigger ISPs agree to such blocking, the government will introduce laws
which *require* the ISPs to do it. So much for voluntary.
Of course, all this will do is prevent accidental surfing to domains
on the list. Anybody who *wants* this content can simply run his own
name server - and escape the blocking. So much for effectiveness.
Oh yeah, there are also the usual problems of collateral damage, no
well defined process around the maintenance of the list, etc. The four
criteria proposed in this article:
http://www.theregister.co.uk/2009/01/13/internet_regulation/
have clearly not been in the minds of the police / politicians that
introduced the system.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
Nuno Paquete
>> This is NOT something BIND (or any DNS server) should do. Blocking
>> web sites
>> is business for web proxies, firewalls etc. Doing this stuff at DNS
>> level
>> could lead to many surprises.
I definetly agree with this.
> In Norway we have what is basically a government requirement for ISPs
> to block child porn domains, using a list supplied by the police.
Ok, but you can always browse by IP address and in this case there is
no DNS server than can stop you from browsing what you want.
If you want to block IP address access you have to use firewall, or if
you are talking about http traffic and have a proxy, maybe you have to
block there. That's why I completly agree this should not be blocked
at DNS level.
Nuno Paquete
Andrey G. Sergeev (AKA Andris)
Mon, 11 Oct 2010 18:37:43 +0200 Matus UHLAR - fantomas wrote:
> On 11.10.10 14:16, Alans wrote:
>> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement
>> somehting kind of similar to that in a small scale.
>> So i was wondering about Bind dns capabilities and may be third
>> party stuffs that could integrate with bind dns in addition to the
>> ip/website list.
>
> This is NOT something BIND (or any DNS server) should do. Blocking
> web sites is business for web proxies, firewalls etc. Doing this
> stuff at DNS level could lead to many surprises.
Strongly agreed. And doing this brainf***ing stuff could lead to an
unpredictable glitches too.
"Render unto Caesar the things which are Caesar's, and unto God the
things that are God's" (Matthew 22:21).
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
Kevin Darcy
Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want.
If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level.
- Kevin
Andrey G. Sergeev (AKA Andris)
Mon, 11 Oct 2010 19:38:54 +0200 (CEST) sth...@nethelp.no wrote:
> Unfortunately, in some countries you may be required to do so. The
> example I know best is, naturally, Norway.
>
> In Norway we have what is basically a government requirement for ISPs
> to block child porn domains, using a list supplied by the police. A
> decent description of the system, for those of you with a reading
> knowledge of Norwegian, is here:
>
> http://no.wikipedia.org/wiki/Kripos'_barnepornofilter
Would you please describe if brief for those who don't read in
Norwegian the methods the major Norwegian ISPs use to block the CP
domains?
Andrey G. Sergeev (AKA Andris)
Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote:
> Why not? OpenDNS is a good example i think.
Good example? Was it a joke? Do the traceroute on IP addresses of the
two OpenDNS resolvers and you'll find that they both are behind the
same router. Do you still trust the OpenDNS people who advertise their
service as reliable?
P.S. Please don't top-post - this breaks the logic of the discussion
thread. Thank you.
> regards,
> Alans
>
> On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote:
>> On 11.10.10 14:16, Alans wrote:
>>> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement
>>> somehting kind of similar to that in a small scale.
>>> So i was wondering about Bind dns capabilities and may be third
>>> party stuffs that could integrate with bind dns in addition to the
>>> ip/website list.
>>
>> This is NOT something BIND (or any DNS server) should do. Blocking
>> web sites is business for web proxies, firewalls etc. Doing this
>> stuff at DNS level could lead to many surprises.
David Miller
> Hello Alans,
>
>
> Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote:
>
>> Why not? OpenDNS is a good example i think.
> Good example? Was it a joke? Do the traceroute on IP addresses of the
> two OpenDNS resolvers and you'll find that they both are behind the
> same router. Do you still trust the OpenDNS people who advertise their
> service as reliable?
You are kidding right? ...or was this post a joke?
OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast
Here is an DNS Stuff Vector Trace for 208.67.222.222 (one of OpenDNS'
resolvers):
http://www.dnsstuff.com/tools/vectortrace?ip=208.67.222.222&token=26314c5ba0c8ae4e2c32430c19d55018
Note that end points are very local to the widely spread start points.
From any one location an IP Anycast service will appear to be very
local. That is the point.
> P.S. Please don't top-post - this breaks the logic of the discussion
> thread. Thank you.
>
>> regards,
>> Alans
>>
>> On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote:
>>> On 11.10.10 14:16, Alans wrote:
>>>> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement
>>>> somehting kind of similar to that in a small scale.
>>>> So i was wondering about Bind dns capabilities and may be third
>>>> party stuffs that could integrate with bind dns in addition to the
>>>> ip/website list.
>>> This is NOT something BIND (or any DNS server) should do. Blocking
>>> web sites is business for web proxies, firewalls etc. Doing this
>>> stuff at DNS level could lead to many surprises.
--
-___________________________________
David Miller
Tiggee LLC
dmi...@tiggee.com
Ian Tait
-----Original Message-----
From: bind-users-bounces+ian.t=thoughtb...@lists.isc.org
[mailto:bind-users-bounces+ian.t=thoughtb...@lists.isc.org] On
Behalf Of Nuno Paquete
Sent: 11 October 2010 19:45
To: sth...@nethelp.no
Cc: bind-...@lists.isc.org; uh...@fantomas.sk
Subject: Re: Bind and blacklist IP file
<snip>
>Ok, but you can always browse by IP address and in this case there is
no DNS server than can stop you from
>browsing what you want.
Vaguely related, are host headers - a lot of webservers share an IP
address/many IP addresses and use host headers to 'display' the correct
website.
You wouldn't be able to browse a particular website hosted in this
fashion, by IP address.
Ian
Andrey G. Sergeev (AKA Andris)
Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote:
>> Ok, but you can always browse by IP address and in this case there
>> is no DNS server than can stop you from browsing what you want.
>
> Vaguely related, are host headers - a lot of webservers share an IP
> address/many IP addresses and use host headers to 'display' the
> correct website.
>
> You wouldn't be able to browse a particular website hosted in this
> fashion, by IP address.
If you know the website domain and the corresponding IP address and if
your ISP prevents you from accessing this website by timing out or
tampering DNS query results you can always put the entry like
192.168.10.20 www.domain.tld.
to your hosts file and access the site.
This technique is also in use when someone needs to access the site
which is on a not delegated domains.
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
Alans
properly. Try it for facebook, open homepage fine but once you login it
will fail.
Another thing, we are talking about a technical person, for other users
they don't know about hosts file or they don't have access to change it
even it they know about it.
regards.
Sam Wilson
Alans <alan...@gmail.com> wrote:
> [ Norwegian Gov vs ISPs, banning domains, and inserting local host
> entries to subvert such a ban ]
>
> Even this way, you should know all the IP of subdomains to work
> properly. Try it for facebook, open homepage fine but once you login it
> will fail.
> Another thing, we are talking about a technical person, for other users
> they don't know about hosts file or they don't have access to change it
> even it they know about it.
So there's a market opportunity for someone with half a clue to help out
his "friends".
Sam
Andrey G. Sergeev
Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote:
> On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote:
>> Hello Ian,
>>
>>
>> Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote:
>>
>>>> Ok, but you can always browse by IP address and in this case
>>>> there is no DNS server than can stop you from browsing what you
>>>> want.
>>>
>>> Vaguely related, are host headers - a lot of webservers share an
>>> IP address/many IP addresses and use host headers to 'display' the
>>> correct website.
>>>
>>> You wouldn't be able to browse a particular website hosted in this
>>> fashion, by IP address.
>>
>> If you know the website domain and the corresponding IP address and
>> if your ISP prevents you from accessing this website by timing out
>> or tampering DNS query results you can always put the entry like
>>
>> 192.168.10.20 www.domain.tld.
>>
>> to your hosts file and access the site.
>>
>> This technique is also in use when someone needs to access the site
>> which is on a not delegated domains.
>>
> Even this way, you should know all the IP of subdomains to work
> properly. Try it for facebook, open homepage fine but once you login
> it will fail.
If you can query at least one of the authoritative NS for the domain in
question then you would have no problems determining the IP addresses
you might need.
> Another thing, we are talking about a technical person, for other
> users they don't know about hosts file or they don't have access to
> change it even it they know about it.
Sure but please don't forget about the average level of computer skills
of the audience the most "underground" sites have.
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
Andrey G. Sergeev
Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote:
> On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote:
>> Hello Alans,
>>
>>
>> Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote:
>>
>>> Why not? OpenDNS is a good example i think.
>> Good example? Was it a joke? Do the traceroute on IP addresses of
>> the two OpenDNS resolvers and you'll find that they both are behind
>> the same router. Do you still trust the OpenDNS people who advertise
>> their service as reliable?
>
> You are kidding right? ...or was this post a joke?
Not at all.
> OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast
Thanks, I know what anycast is and about the fact that OpenDNS uses it.
Besides of all that it still seems strange that *both* of their public
resolvers are behind the *same* router (peer1.rtr1.ams.opendns.com
[195.69.144.88] for me).
Kalman Feher
The straight forward answer to the original question is that BIND RPZ
features will allow you to isolate domains as requested. Noting that this is
_just_ DNS and as others have mentioned, that's hardly a solid wall of
unavailability for your blacklisted sites.
>> Another thing, we are talking about a technical person, for other
>> users they don't know about hosts file or they don't have access to
>> change it even it they know about it.
>
> Sure but please don't forget about the average level of computer skills
> of the audience the most "underground" sites have.
--
Kal Feher
Michael Sinatra
It doesn't seem strange when you think about it. Because anycast
already deals with the routing issue, your claim that having two systems
behind the same router leads to unreliability is effectively countered.
Moreover, for global anycast services (such as OpenDNS), you need a
larger covering prefix to carry the routes in BGP. In the case of
OpenDNS, it is 208.67.222.0/24. To place the two instances at different
PoPs, you would need two covering prefixes, which is a waste. For what
you appear to be concerned about, OpenDNS could simply use one address
for its service.
The reason to include a second address within the same prefix is for
non-routing issues, such as a hardware failure on the nameserver itself
where, for some reason, that anycast instance doesn't get taken out of
routing. The second address could be placed on a separate cluster in
the same PoP, so that the normal resolver failover could work properly
until the problem is corrected. Having a second address within the same
PoP is an additional layer of protection, especially if it's running on
different hardware.
See, for example:
http://www.pch.net/resources/papers/ipv4-anycast/ipv4-anycast.pdf
http://www.pch.net/resources/papers/dns-service-architecture/dns-service-architecture-v11.pdf
http://ftp.isc.org/isc/pubs/tn/isc-tn-2003-1.html (especially section 5)
As to the question of whether it is a good idea to do this type of
blacklisting in the DNS, that train has left the station already. This
sort of thing is already being implemented in an ad-hoc way in a lot of
organizations. Better to have a standard method for doing it (RPZ) than
ad-hoc, as you're less likely to run into the kinds of unpredictable
glitches that you are concerned about.
michael