dhottin...@harrisonburg.k12.va.us wrote:
Quoting Kevin Darcy <k...@chrysler.com>:
dhottin...@harrisonburg.k12.va.us wrote:
Quoting Doug McIntyre <mer...@dork.geeks.org>:
In comp.protocols.dns.bind you write:
Has anyone used their internal dns server for blacklisting? I would
like to specifically block access to domains that are spreading
malware. I was grepping around the internet and fell upon this
website http://www.malwaredomains.com/, but dont seem to be able to
get my internal name server to like any of the configs I push on it.
thanks for any advice that might be offered.
It should be easy enough to take the list, parse it into config line
items pointing to a single zone file that just maps * to 127.0.0.1 or
something.
Or you could just use OpenDNS?
(Not that I use them, but thats one of the free features they
support).
Sounds good and that is what I thought (except for OpenDNS), however
I created a zone file named blacklist.host and added an entry into
my named.conf file that said
zone "00.devoid.us" {
type master;
file "blockeddomains.host";
};
When I restart named I get the following error message in my message
logs:
Mar 24 14:14:14.970 dns_master_load: blockeddomains.host:9: no
current owner name
Mar 24 14:14:14.971 zone 00.devoid.us/IN: loading master file
blockeddomains.host: no owner
I actually have 8 existing zones on this server and they each have a
root server listed in their zone files. Do I need to have a root
server in this one?
This isn't an architecture problem, it's a syntax error in the zone
file.
If you post the contents of the file, up to line 9, we should be able
to spot the syntax error and explain to you how to fix it.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Contents of blockeddomains.host:
$TTL 86400 ; one day
@ IN SOA ns.hhs.harrisonburg.k12.va.us
(
2004061000 ; serial number 09032401
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS ns1.harrisonburg.k12.va.us.
NS ns2.harrisonburg.k12.va.us.
A 0.0.0.0
* IN A 0.0.0.0
Before the all-numeric fields, your SOA record needs both an MNAME field
and an RNAME field. MNAME (which you have) should be the name of the
primary master; but if you fully-qualify the name you should
dot-terminate it, to avoid the zone origin ("00.devoid.us") from being
appended. RNAME is a standard SMTP contact email address for the zone,
e.g. ad...@harrisonbug.k12.va.us, with the @ in the email address
replaced with a dot. As with MNAME, make sure to dot-terminate RNAME too
if the domain part of the email address is fully-qualified. Your SOA
should have total of 7 fields, you're only showing 6; RNAME is missing.
A syntactically-better SOA might look like
@ IN SOA ns.hhs.harrisonburg.k12.va.us. admin.harrisonbug.k12.va.us. (
2004061000
28800
7200
864000
86400
)
Beyond that, I can't really tell because of the way email gets
reformatted, but if you have any whitespace before "@" or "*", that's
going to be a problem; the opening parenthesis should also be on the
first SOA line.
Last and least, the "min ttl" comment is misleading. The last field of
the SOA record is now used as the "negative caching TTL", not "minimum"
in any sense of the word. The comment should probably reflect that.
Note that you can use the named-checkzone utility -- included in the
BIND distribution -- to check a zone file for syntax errors, without
actually trying to get named to load the file.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
