1

I am trying to sinkhole/blackhole a list of domains using bind. I think my issue is using "Include" in the WRONG place on the conf. Can someone confirm the blacklist line of code is in the right place? 

include "/etc/rndc.key";
controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
options {
    directory                "/var/named"; // the default
    pid-file                 "/var/run/named/named.pid";
    dump-file                "data/cache_dump.db";
    statistics-file          "data/named_stats.txt";
    allow-transfer {"none";};
};
logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};
view "localhost_resolver" {

 include "/var/named/blacklist.zones"; //RIGHT HERE!!!!!!!!!!!!!!

    match-clients         { 127.0.0.1/32; };
    match-destinations    { localhost; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };
    include "/var/named/named.rfc1912.zones";
};
view "internal" {
    match-clients        { localnets; };
    match-destinations    { localnets; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };
zone "my.real.domain" {
    type master;
    file "/var/named/my.real.domain.zone";
};

};
view    "external" {
    recursion no;
    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

zone "my.real.domain" {
    type master;
    file "/var/named/my.real.domain.zone";
};

};

I could only get named service to start by putting it there. Log shows that the domains are loaded. Blacklist simply fw to 127.0.0.1, so this seems to work. When I

dig @127.0.0.1 blacklisted.domain

I get successful answer, pointing to 127 .. and the configured nameserver. But when I

ping blacklisted.domain

it pings the real ip, it resolves through the DNS. Can someone shed some light? I simply want to block a list of domains from local access. I know, I love dnsmasq too.

  • Using Rhel7 fyi. I want to use these resources http://dns-bh.sagadc.org –  Feb 09 '18 at 09:23
  • *"When I `dig @127.0.0.1 blacklisted.domain` I get successful answer, pointing to 127 .. and the configured nameserver."* - This means that the bind setup itself seems to work, which was the security relevant part. *"But when I `ping blacklisted.domain` it pings the real ip, it resolves through the DNS."* - this suggests that ping is not using the name server you have configured to blacklist IP. Make sure `/etc/resolv.conf` is configured correctly to point to this nameserver. Also, it is off-topic on how to configure your system to use the correct DNS server, try superuser.com instead. – Steffen Ullrich Feb 09 '18 at 09:54
  • Sorry, I wasn't sure either, I thought "security"... YES, ping is using resolv.conf, which in turn has the usual 8.8.8.8 what should I change this to? literally the same NS i am using on the block? then how will any other domain be queried? –  Feb 09 '18 at 10:08
  • The bind configuration might have been security, but this configuration was already working, Configuring which DNS server to use is normal system configuration which has nothing to do with information security, i.e. off-topic. Also, the 8.8.8.8 was probably configured by you already so just configure it to use 127.0.0.1 in the same place instead. But again, it's off-topic and try superuser.com. – Steffen Ullrich Feb 09 '18 at 10:53
  • Why is 8.8.8.8 "usual" in `/etc/resolv.conf`? Specifically when/if you run a local recursive nameserver this makes no sense. Also try `9.9.9.9` for a change instead ;-) – Patrick Mevzek Feb 09 '18 at 14:50

2 Answers2

3

Blocking domain names at a DNS level is a bad idea, see this document: http://www.afnic.fr/medias/documents/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf

Also, it is a bad idea to mix recursive and authoritative functions in the same instance.

However if you need to do DNS firealling, there is a specific feature supported by BIND (and some other nameservers), called RPZ for Response Policy Zones.

See https://dnsrpz.info/ for all details but in short:

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

Specifically for BIND search the section "Response Policy Zone (RPZ) Rewriting" in ftp://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch06.html

It will give you this example that will work out of the box for your need, as soon as you put the correct domain names:

For example, you might use this option statement

response-policy { zone "badlist"; };

and this zone statement

zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };

with this zone file

$TTL 1H
@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
                        NS  LOCALHOST.

; QNAME policy records.  There are no periods (.) after the owner names.
nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
-3

These 2 lines needed to be added to options on /etc/named.conf

listen-on port 53 { 127.0.0.1; "public IP" ; }; 
forwarders { 9.9.9.9; 8.8.8.8; };

Working Perfectly after the above.

  • I was asking specifically for the main config file. I had all the rest done already Patrick.