DNS RPZ zone with a squidGuard blacklist

Response Policy Zones

Bind9 recently acquired the ability to deal with blacklists. This means  any application that does a DNS query using an appropriately configured DNS server will resolve any of the zones found in the blacklists and, depending on how  the DNS server is configured, the response is a redirection. This ability is achieved through something called Response Policy Zones (RPZ).

Why do this? If you have application that is  making DNS queries to a zone that is blacklisted then this method will stop the application from reaching that zone.

A quick note a about proxies.

Now for browsers that are configured to use a proxy the proxy will respond with it’s rules first and if the zone is not in the proxies blacklist then a DNS lookup will take place and the user/application will be redirected. At least, that’s what I have noticed using squid proxies and firefox.

Here is how the DNS blacklisting works:

Add the following line in the “options” stanza of your bind9 DNS server:

response-policy { zone "rpz"; };

create a zone with the following options and place this in your named.conf as appropriate:

zone "rpz." IN {
    type master;
    file "hosts/masters/rpz-hosts";
};

now create the zone file ( hosts/masters/rpz-hosts) with all the data. A short example follows:

$TTL 1D
@ 1D  IN SOA myserver.localdomain.local. hostmaster 36 8H 2H 1W 2H
@                    IN  NS      myserver.localdomain.local.
thatverybadguy.com   IN  CNAME   www.google.com.
thatverybadgirl.com  IN  A       127.0.0.1
thatverybaddog.com   IN  CNAME   default.localdomain.local.

Make sure your test machine is pointing to the modified name server and test the configuration using your browser or tools like dig and nslookup.

So once you have that working to your satisfaction the next step is to download a blacklist and then modify it to look like a DNS zone file then load it into your name server and your done. That is more easily said then done.  As of this date, the resulting DNS zone file has 984644 lines, each line representing a blacklisted domain.  So, when it is more easily said then done a good systems administrator will open up the tool box and retrieve the appropriate scripting tool.

And so I did. I wrote the following perl script which  will update a bind9  zone with a blacklist from squidGuard.

The problem with the squidGuard blacklist is that it is full of garbage as in badly formatted data. But I think I managed to work through that. This script was developed on fedora core 15 using squid proxy server and the squidGuard redirector. YMMV.

running the command with no options will provide the following usage statement:

Usage:
./zone_blacklist.pl:   
      where:
        -z [DNS zone]. -hosts will be appended to the end.
              default: rpz-hosts
        -n [named path]
              default: /var/named/chroot/var/named/masters
        -b [squidGuard blacklist directory path].
              Default: /var/squidGuard
        -l [squidGuard Log directory path].
              Default: /var/log/squidGuard.
           Used to change permissions
              default owner and group: squid:squid
        -t [website domain name] redirect all websites to this
           target site.
              Default site: 127.0.0.1
        -s Update SquidGuard .db files after the download.
              default is to not update
        -e file of domains that will not be put into the rpz zone
        -p [ http://your.proxy.server:port ]
        -r restart squid
        -d debug
    -h this message

I set it up in my root crontab as follows

# m h  dom mon dow   command
# .----------------minute (0 - 59)
# |   .----------  hour (0 - 23)
# |   |   .------- day of month (1 - 31)
# |   |   |   .----month (1 - 12) OR jan,feb,mar,apr ...
# |   |   |   |  .-day of week (0 - 7) (Sunday=0 or 7) 
# |   |   |   |  |           OR sun,mon,tue,wed,thu,fri,sat
# |   |   |   |  |
# *   *   *   *  *  command to be executed
################################################################################
00 23 * * 0 /usr/local/dns/zone_blacklist.pl -z rpz -s -r -t default.example.com -p "http://192.168.x.x:3128" -e /var/squidGuard/dev/DNS/zone_blacklist_exclude 1>/tmp/zone_blacklist.log 2>&1
################################################################################

Here is the script (version 1.10):

I added the ability to use an exclude list. so you can use -e file where file is a list of domains that are to be excluded from the rpz domain.

and here is the script:

To verify the files,

  • Import the gpg key from here
  •  remove the “_.txt” ending from the file names if you downloaded the files.

then

$ gpg --verify filename.asc filename

zone_blacklist.pl
zone_blacklist.pl.asc


Comments

DNS RPZ zone with a squidGuard blacklist — 3 Comments

    • I’m sorry it’s not working for you. I don’t have a lot of time to support problems like these.
      You can always use the debug (-d) option and see if that helps.
      You must know perl and BIND9 DNS running on unix.
      I’m not so sure it’s as useful as a proxy and a proxy blacklist service.
      It’s an interesting script and has some useful subroutines in it. But I’m not convinced as to it’s usefulness.

Leave a Reply