Re: Bind and blacklist IP file
On 11/10/10 1:02 PM, Alans alans...@gmail.com wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? DNS RPZ may do what you want. There is a patch on the isc.org website for 9.4,9.6 and 9.7.1-P2 Described in further detail here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt and here: http://www.isc.org/community/blog/201007/taking-back-dns-0 One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. regards, Alans On 10/11/2010 02:06 PM, David Peall wrote: Have you looked at: http://www.opendns.com/ -- Dave On 11 October 2010 13:02, Alansalans...@gmail.com wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reason for separate libdns and libisc export libraries
Hello all, I would like to ask you for the reason why there are separate versions of libdns, libisc friends, called export libraries in BIND 9.7 series. If I understand correctly those export libs are supposed to be used from non-BIND9 applications and some methods are lightweight compared to full-featured BIND9 versions. In my opinion it's good idea to offer two versions of certain methods. However I don't understand why those methods need to be in separate library and, which is even worse, this library has the same name as full featured BIND9 lib. It is the best way to various run-time issues, like unresolved symbols. Another issue is that isc-config.sh utility (which is used to determine CFLAGS, LDFLAGS etc) has no support for this dual-library setup. In my opinion export libs and standard libs should be merged together or should be renamed (for example to libdns-export.so). I must note rename is probably worse case because dynamic linker can randomly pick methods with same name from libdns.so or from libdns-export.so. I think the best solution is to merge two libs into one and select methods via preprocessor flag (-DBIND9). The merged library will look like: isc/namespace.h: #ifdef BIND9 #define isc_something isc__something #endif libisc.so: isc_something isc__something So there will be no runtime issues. May I ask you if you can change current dynamic libraries setup somehow? I can prepare the patches, if you are interested. Regards, Adam -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Alans wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans You really need a web proxy with filtering software(like squidGuard) and some block lists to do this. http://www.squidguard.org/blacklists.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
On 10.10.10 21:03, Doug Barton wrote: http://dougbarton.us/DNS/bind-users-FAQ.html#nslookup-evil nice but I miss there some explanations that were mentioned here, e.g. it sometimes does not query the server user asks for (iirc) Something could be reworded. e.g. uses system libraries that could use /etc/hosts, while host/dig query DNS server directly... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Why not? OpenDNS is a good example i think. Also, i think as mentioned in Kal's email, DNS RPZ from isc is an approach to implement these functionalities at DNS level. We want to give individuals/customers access to their account to block what they want to block, something similar to OpenDNS but in a small scale. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter This blocking is *in theory* voluntary - however, the government has made it quite clear that unless a sufficiently high number of the bigger ISPs agree to such blocking, the government will introduce laws which *require* the ISPs to do it. So much for voluntary. Of course, all this will do is prevent accidental surfing to domains on the list. Anybody who *wants* this content can simply run his own name server - and escape the blocking. So much for effectiveness. Oh yeah, there are also the usual problems of collateral damage, no well defined process around the maintenance of the list, etc. The four criteria proposed in this article: http://www.theregister.co.uk/2009/01/13/internet_regulation/ have clearly not been in the minds of the police / politicians that introduced the system. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hi. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. I definetly agree with this. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. Nuno Paquete ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Matus, Mon, 11 Oct 2010 18:37:43 +0200 Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. Strongly agreed. And doing this brainf***ing stuff could lead to an unpredictable glitches too. Render unto Caesar the things which are Caesar's, and unto God the things that are God's (Matthew 22:21). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 2:44 PM, Nuno Paquete wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. To nitpick: address-block-based filtering*could* be implemented in DNS. The same mechanisms that are used to prevent rebinding attacks -- e.g. BIND's *deny-answer-addresses* -- could theoretically be repurposed to strip addresses in certain banned ranges from DNS responses. Arguably this is a misuse/abuse of the feature. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Steinar, Mon, 11 Oct 2010 19:38:54 +0200 (CEST) sth...@nethelp.no wrote: Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter Would you please describe if brief for those who don't read in Norwegian the methods the major Norwegian ISPs use to block the CP domains? -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AXFR partially timed out
I have a very strange problem with AXFR. We are using a master and a secondary DNS Server with an internal and an external view. Depending on the source address the secondary server will get the internal or external view for zone transfer. Everything is working correct so far except only one specific zone file won't get transferred. In the external view there are about 70 zones defined. Every zone will get transferred except one and only one won't. Therefor there can't be a problem with the firewall. Then I scaled down the seconday DNS server to just about 2 zones and again: this specific zone file won't get transfered even the master said AXFR started and AXFR ended for this particular zone. On the secondary server I'll get giving up: timed out. Is the problem zone larger than the ones that are not a problem? If so it may be a MTU problem, or even a firewall that does things differently based on packet sizes. Indeed the trouble zone is about double the size of other zones. Both DNS servers are Solaris boxes and comunicate by plain TCP (no VPN). How can I check for MTU problem and how can I influence it? When I ask for the zone by dig utility everything is ok but not when the zone get requested by named ... head scraping ... Thanks a lot -- Beat ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Here is an DNS Stuff Vector Trace for 208.67.222.222 (one of OpenDNS' resolvers): http://www.dnsstuff.com/tools/vectortrace?ip=208.67.222.222token=26314c5ba0c8ae4e2c32430c19d55018 Note that end points are very local to the widely spread start points. From any one location an IP Anycast service will appear to be very local. That is the point. P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- -___ David Miller Tiggee LLC dmil...@tiggee.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
