Re: ho to filter hundeds of domains ?

2012-08-31 Thread Emanuele Balla (aka Skull)
On 8/31/12 1:21 AM, Mark Andrews wrote:

 Note to self, run own recursive DNS resolver on my laptop whilst
 travelling in Italy.

 8.8.8.8 ?
 
 Which is exactly why the DNS is the wrong level to do this at if
 you have a legal obligation to block access.  The only way to do
 that is to block the packets themselves.  Given these are gambling
 sites the chance of collateral damage is minimal if you just block
 all access to the ips in question.   Just make sure you can get
 through to their nameservers so you can keep the list of IP addresses
 to filter current.  

Yes and no.
Yes, because we all agree that blocking at the DNS level is easy to
circumvent.
No, because blocking the packet is either too expensive (DPI) or
causing too collateral damages (nullrouting).

Some of the blocked entities started popping up mirrors, proxies and
moved their services to google, explicitly to make nullrouting
unfeasible...

Again, it's not about how effective the block is or can be. Unless Italy
becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from reaching a
given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the counterpart
he/she is trying to reach...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread sthaug
 Again, it's not about how effective the block is or can be. Unless Italy
 becomes like China or even worse (but the US had the chance end up
 almost in the same situation very recently, so this is NOT an
 Italian-only problem), there is no way to inhibit users from reaching a
 given resource on the Internet: if the user is motivated enough he/she
 will circumvent whatever you do, eventually assisted by the counterpart
 he/she is trying to reach...

We are in much the same situation in Norway. All the biggest ISPs use
a list of child porn domains to be blocked, specified by the central
police authorities. *In principle* implementing this is voluntary for
the ISPs. In practice there is significant pressure to do so.

Both the police and the ISPs are fully aware that blocking this at the
DNS level (the ISP recursive resolvers) won't prevent somebody who is
determined. But the police (and the government) still want this done.

I sometimes suspect their view is of the type We must do something.
This is something, therefore we must do it.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Kevin Darcy

On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:

Again, it's not about how effective the block is or can be. Unless Italy
becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from reaching a
given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the counterpart
he/she is trying to reach...

We are in much the same situation in Norway. All the biggest ISPs use
a list of child porn domains to be blocked, specified by the central
police authorities. *In principle* implementing this is voluntary for
the ISPs. In practice there is significant pressure to do so.

Both the police and the ISPs are fully aware that blocking this at the
DNS level (the ISP recursive resolvers) won't prevent somebody who is
determined. But the police (and the government) still want this done.

I sometimes suspect their view is of the type We must do something.
This is something, therefore we must do it.


Nothing is better than paradise.
A ham sandwich is better than nothing.
Therefore, a ham sandwich is better than paradise.

- Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Oscar Ricardo Silva

On 08/31/2012 08:22 AM, Kevin Darcy wrote:

On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:

Again, it's not about how effective the block is or can be. Unless Italy
becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from reaching a
given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the counterpart
he/she is trying to reach...

We are in much the same situation in Norway. All the biggest ISPs use
a list of child porn domains to be blocked, specified by the central
police authorities. *In principle* implementing this is voluntary for
the ISPs. In practice there is significant pressure to do so.

Both the police and the ISPs are fully aware that blocking this at the
DNS level (the ISP recursive resolvers) won't prevent somebody who is
determined. But the police (and the government) still want this done.

I sometimes suspect their view is of the type We must do something.
This is something, therefore we must do it.


Nothing is better than paradise.
A ham sandwich is better than nothing.
Therefore, a ham sandwich is better than paradise.

 - Kevin



And you won't be able to afford that ham sandwich if you've been 
terminated from your job because you didn't follow the law.  We all have 
things in our jobs that we don't want to do but we do them anyway.  All 
the ridiculous suggestions and snarky comments aren't helping the 
original poster who mentioned these sites were considered illegal and is 
looking for other ways to do this.



Oscar



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Barry Margolin
In article mailman.153.1346395824.11945.bind-us...@lists.isc.org,
 sth...@nethelp.no wrote:

 I sometimes suspect their view is of the type We must do something.
 This is something, therefore we must do it.

Or more like We know we can't do it perfectly, but this is better than 
nothing.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Warren Kumari

On Aug 31, 2012, at 10:42 AM, Oscar Ricardo Silva wrote:

 On 08/31/2012 08:22 AM, Kevin Darcy wrote:
 On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:
 Again, it's not about how effective the block is or can be. Unless Italy
 becomes like China or even worse (but the US had the chance end up
 almost in the same situation very recently, so this is NOT an
 Italian-only problem), there is no way to inhibit users from reaching a
 given resource on the Internet: if the user is motivated enough he/she
 will circumvent whatever you do, eventually assisted by the counterpart
 he/she is trying to reach...
 We are in much the same situation in Norway. All the biggest ISPs use
 a list of child porn domains to be blocked, specified by the central
 police authorities. *In principle* implementing this is voluntary for
 the ISPs. In practice there is significant pressure to do so.
 
 Both the police and the ISPs are fully aware that blocking this at the
 DNS level (the ISP recursive resolvers) won't prevent somebody who is
 determined. But the police (and the government) still want this done.
 
 I sometimes suspect their view is of the type We must do something.
 This is something, therefore we must do it.
 
 Nothing is better than paradise.
 A ham sandwich is better than nothing.
 Therefore, a ham sandwich is better than paradise.

This may be true, if the ham sandwich includes chutney, and (possibly) cheese.

 
 - Kevin
 
 
 And you won't be able to afford that ham sandwich if you've been terminated 
 from your job because you didn't follow the law.  We all have things in our 
 jobs that we don't want to do but we do them anyway.  All the ridiculous 
 suggestions and snarky comments aren't helping the original poster who 
 mentioned these sites were considered illegal and is looking for other ways 
 to do this.

Yup. DNS blocking can usually be circumvented, but, for many people, this is a 
feature, not a bug.

Assuming that the original poster **really really** wants to block his users 
may be a false assumption. Often what folk are looking for is something that 
provides legal protection. While it may be fun, assuming the OP is an 
anti-gambling, anti-free-speech censorship loving nazi is unfair.

W


 
 
 Oscar
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

-- 
There are only 10 types of people in this world -- those who understand binary 
arithmetic and those who don't.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Kevin Darcy

On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote:

On 08/31/2012 08:22 AM, Kevin Darcy wrote:

On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:
Again, it's not about how effective the block is or can be. Unless 
Italy

becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from 
reaching a

given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the 
counterpart

he/she is trying to reach...

We are in much the same situation in Norway. All the biggest ISPs use
a list of child porn domains to be blocked, specified by the central
police authorities. *In principle* implementing this is voluntary for
the ISPs. In practice there is significant pressure to do so.

Both the police and the ISPs are fully aware that blocking this at the
DNS level (the ISP recursive resolvers) won't prevent somebody who is
determined. But the police (and the government) still want this done.

I sometimes suspect their view is of the type We must do something.
This is something, therefore we must do it.


Nothing is better than paradise.
A ham sandwich is better than nothing.
Therefore, a ham sandwich is better than paradise.



And you won't be able to afford that ham sandwich if you've been 
terminated from your job because you didn't follow the law.  We all 
have things in our jobs that we don't want to do but we do them 
anyway.  All the ridiculous suggestions and snarky comments aren't 
helping the original poster who mentioned these sites were considered 
illegal and is looking for other ways to do this.
Doesn't the Eurozone have bigger problems right now, than worrying about 
a few people looking at dirty pictures?


In any case, what does the OP expect us to say here? Yeah, here's a 
nifty way to violate the spirit of the whole DNS protocol? It's one 
thing to acknowledge casually that DNS software can be abused by 
unscrupulous administrators as form of social control, it's quite 
another to ask technical experts to actually give details on how that 
abuse can be carried out; giving aid and comfort to the enemy, as it 
were. The OP should report to his boss that the technical community 
provides absolutely *NO*HELP* in this travesty, and therefore any 
modifications to the DNS to try and implement this blocking will be 
incredibly time-consuming and prone to breakage in unforeseen ways.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-31 Thread Oscar Ricardo Silva

On 08/31/2012 04:20 PM, Kevin Darcy wrote:

On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote:

On 08/31/2012 08:22 AM, Kevin Darcy wrote:

On 8/31/2012 2:50 AM, sth...@nethelp.no wrote:

Again, it's not about how effective the block is or can be. Unless
Italy
becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from
reaching a
given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the
counterpart
he/she is trying to reach...

We are in much the same situation in Norway. All the biggest ISPs use
a list of child porn domains to be blocked, specified by the central
police authorities. *In principle* implementing this is voluntary for
the ISPs. In practice there is significant pressure to do so.

Both the police and the ISPs are fully aware that blocking this at the
DNS level (the ISP recursive resolvers) won't prevent somebody who is
determined. But the police (and the government) still want this done.

I sometimes suspect their view is of the type We must do something.
This is something, therefore we must do it.


Nothing is better than paradise.
A ham sandwich is better than nothing.
Therefore, a ham sandwich is better than paradise.



And you won't be able to afford that ham sandwich if you've been
terminated from your job because you didn't follow the law.  We all
have things in our jobs that we don't want to do but we do them
anyway.  All the ridiculous suggestions and snarky comments aren't
helping the original poster who mentioned these sites were considered
illegal and is looking for other ways to do this.

Doesn't the Eurozone have bigger problems right now, than worrying about
a few people looking at dirty pictures?

In any case, what does the OP expect us to say here? Yeah, here's a
nifty way to violate the spirit of the whole DNS protocol? It's one
thing to acknowledge casually that DNS software can be abused by
unscrupulous administrators as form of social control, it's quite
another to ask technical experts to actually give details on how that
abuse can be carried out; giving aid and comfort to the enemy, as it
were. The OP should report to his boss that the technical community
provides absolutely *NO*HELP* in this travesty, and therefore any
modifications to the DNS to try and implement this blocking will be
incredibly time-consuming and prone to breakage in unforeseen ways.

 - Kevin



I'm not suggesting this should be implemented and actually agree with 
many of the arguments against it.  Overall it would just be a game of 
whack-a-mole.  Even so, to paraphrase your own response, the reply could 
have been:



***
the technical community provides absolutely *NO*HELP* in this situation, 
and therefore any modifications to the DNS to try and implement this 
blocking will be incredibly time-consuming and prone to breakage in 
unforeseen ways.

***

I would also have mentioned something along the lines of:  unless you 
can guarantee that your hosts will use your name servers and ONLY your 
name servers then any solution you implement will be doomed to fail.




Oscar



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Niall O'Reilly

On 30 Aug 2012, at 13:14, fddi wrote:

 I need to implement a bind filter for many hundreds of domains which are 
 considered outlaw and illegal
 by italian government about gamble games.
 
 If I create a named zone for each illegal domain and configure my nameserver 
 as authoritative
 for those zones, I can catch the DNS resolutions and I can resolve with a 
 local LAN IP with a message for users.
 But it is really complicate to manage such a high number of domains.
 
 Is there another way I could achieve this ?

Don't waste your time.

This approach is superficial.  It doesn't actually prevent access to the
target sites, and is likely to be a nuisance for intending users of 
legitimate services (web sites or others) which fall in the shadow of
the intervention you suggest.

Besides, if you take this approach, you will have to commit resources to
chasing a moving target.

Best regards,

Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 30, 2012 at 01:34:07PM +0100,
 Niall O'Reilly niall.orei...@ucd.ie wrote 
 a message of 32 lines which said:

   Don't waste your time.
 
   This approach is superficial.  

http://www.bortzmeyer.org/images/please-close-gate.jpg :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread fddi

On 8/30/12 2:32 PM, Stephane Bortzmeyer wrote:

On Thu, Aug 30, 2012 at 02:14:38PM +0200,
  fddi f...@gmx.it wrote
  a message of 23 lines which said:


I need to implement a bind filter for many hundreds of domains which
are considered outlaw and illegal

See http://pwd.io/guide/. Very good ebook.

thank you for your hint.

Actually many telephone companies in the world are doing this, I was 
just doing a question expecting a technical

point of view related to bind in the answer.

Rick

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread fddi

On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote:

On Thu, Aug 30, 2012 at 01:34:07PM +0100,
  Niall O'Reilly niall.orei...@ucd.ie wrote
  a message of 32 lines which said:


Don't waste your time.

This approach is superficial.

http://www.bortzmeyer.org/images/please-close-gate.jpg :-)

Often it is not you who have to decide what to do, but you receive orders.
It is never a good thing to mock people.
Thank you again for your hints


Rick

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Stephane Bortzmeyer
On Thu, Aug 30, 2012 at 03:16:32PM +0200,
 fddi f...@gmx.it wrote 
 a message of 15 lines which said:

 Actually many telephone companies in the world are doing this, 

They're wrong politically (censorship) and they're wrong technically
(see O'Reilly's answer).

Copying telephone companies is not a good idea for the Internet :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread fddi

On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:

On Thu, Aug 30, 2012 at 03:16:32PM +0200,
  fddi f...@gmx.it wrote
  a message of 15 lines which said:


Actually many telephone companies in the world are doing this,

They're wrong politically (censorship) and they're wrong technically
(see O'Reilly's answer).

Copying telephone companies is not a good idea for the Internet :-)
I know but usually people does not work for the internet they work for a 
company and have to do

what companies asks if you care to have a job...

no problems anyway, I agree with your view.

Rick

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Russell Jones
Normal web filtering software that auto updates is a better approach. Using 
Bind with a manual list of domains to try to achieve this is like trying to 
kill an ant hill 1 ant at a time 


-- 
Sent from my Android phone with K-9 Mail.

fddi f...@gmx.it wrote:

On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
 On Thu, Aug 30, 2012 at 03:16:32PM +0200,
 fddi f...@gmx.it wrote
 a message of 15 lines which said:

 Actually many telephone companies in the world are doing this,
 They're wrong politically (censorship) and they're wrong technically
 (see O'Reilly's answer).

 Copying telephone companies is not a good idea for the Internet :-)
I know but usually people does not work for the internet they work for a 
company and have to do
what companies asks if you care to have a job...

no problems anyway, I agree with your view.

Rick

_

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

2012-08-30 Thread WBrown
Russell Jones wrote on 08/30/2012 09:39:17 AM:

 Normal web filtering software that auto updates is a better 
 approach. Using Bind with a manual list of domains to try to achieve
 this is like trying to kill an ant hill 1 ant at a time 

There are several sources of RPZ data such as Spamhaus and SURBL.  Both 
are respected sources of spam filtering data.

(Disclosure: My employer subscribes to both for spam filtering, I have no 
financial stake)



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Russell Jones


On 8/30/2012 8:46 AM, wbr...@e1b.org wrote:

Russell Jones wrote on 08/30/2012 09:39:17 AM:


Normal web filtering software that auto updates is a better
approach. Using Bind with a manual list of domains to try to achieve
this is like trying to kill an ant hill 1 ant at a time

There are several sources of RPZ data such as Spamhaus and SURBL.  Both
are respected sources of spam filtering data.

(Disclosure: My employer subscribes to both for spam filtering, I have no
financial stake)



Oh I know, I use spamhaus myself for spam filtering - catches a 
ridiculous amount of spam. It is my understanding though the OP wants to 
filter domains for NSFW web browsing, not spam - specifically gambling 
sites.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Rick Coloccia

add this line to /etc/named.conf

include locallyblockeddomains.zones;


contents of locallyblockeddomains.zones:

// This bind zone is intended to be included in a running dns server for 
a local net

//
// It will return a 127.0.0.1 for the domains listed as malware
//
//  This is for locally determined domains we want blocked
//
//
zone r.im  {type master; file /etc/namedb/blockeddomain.hosts;};
snipped many more out
zone emailupgrader.clan.su {type master;file 
/etc/named/blockeddomain.hosts;};





this is the /etc/namedb/blockeddomain.hosts file:

$TTL86400   ; one day

@   IN  SOA ns1.geneseo.edu coloccia.geneseo.edu (
2007112601  ; serial
28800   ; refresh  8 hours
7200; retry2 hours
864000  ; expire  10 days
86400 ) ; min ttl  1 day

IN  NS  ns1.geneseo.edu.
A   127.0.0.1
*   IN  A   127.0.0.1
*   IN  ::1
; This zone will kill all traffic to a listed domain




Done.

Add domains you want blocked to the locallyblockeddomains.zones file.


-Rick





On 8/30/2012 10:28 AM, Russell Jones wrote:


On 8/30/2012 8:46 AM, wbr...@e1b.org wrote:

Russell Jones wrote on 08/30/2012 09:39:17 AM:


Normal web filtering software that auto updates is a better
approach. Using Bind with a manual list of domains to try to achieve
this is like trying to kill an ant hill 1 ant at a time

There are several sources of RPZ data such as Spamhaus and SURBL.  Both
are respected sources of spam filtering data.

(Disclosure: My employer subscribes to both for spam filtering, I 
have no

financial stake)



Oh I know, I use spamhaus myself for spam filtering - catches a 
ridiculous amount of spam. It is my understanding though the OP wants 
to filter domains for NSFW web browsing, not spam - specifically 
gambling sites.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread WBrown
Russell Jones russ...@jonesmail.me wrote on 08/30/2012 10:28:07 AM:

 Oh I know, I use spamhaus myself for spam filtering - catches a 
 ridiculous amount of spam. It is my understanding though the OP wants to 

 filter domains for NSFW web browsing, not spam - specifically gambling 
 sites.

Spamhaus describes it this way:

The DBL is managed as a zero false-positive list, safe to use by 
production mail systems to reject emails that are flagged by it. The DBL 
includes URIs (domains/hostnames) which are used in spam including 
phishing, fraud/'419' or domains sending or hosting malware/viruses. 

Sounds like what I would want in an RPZ, but may not include the gambling 
sites the OP was looking to block.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Emanuele Balla (aka Skull)
On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
 On Thu, Aug 30, 2012 at 03:16:32PM +0200,
  fddi f...@gmx.it wrote 
  a message of 15 lines which said:
 
 Actually many telephone companies in the world are doing this, 
 
 They're wrong politically (censorship) and they're wrong technically
 (see O'Reilly's answer).
 
 Copying telephone companies is not a good idea for the Internet :-)

Still, that kind of setup is *mandatory* for ISPs in Italy :-\


-- 
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-
http://bofhskull.wordpress.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Mark Elkins
On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote:
 On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
  On Thu, Aug 30, 2012 at 03:16:32PM +0200,
   fddi f...@gmx.it wrote 
   a message of 15 lines which said:
  
  Actually many telephone companies in the world are doing this, 
  
  They're wrong politically (censorship) and they're wrong technically
  (see O'Reilly's answer).
  
  Copying telephone companies is not a good idea for the Internet :-)
 
 Still, that kind of setup is *mandatory* for ISPs in Italy :-\

Is the mandatory setup to actually use 'DNS' to block access to gambling
sites? Its easy enough to script an automatic update if someone central
and with the necessary authority decides what it not allowed (eg a
governmental man). Could even stick the 'bad' names in DNS to do the
distribution.

Suggestion: Don't listen to Niall O'Reilly - although he may be right.
(tongue firmly stuck in cheek)

Note to self, run own recursive DNS resolver on my laptop whilst
travelling in Italy.

8.8.8.8 ?

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

2012-08-30 Thread Barry S. Finkel

Rick Colocciacoloc...@geneseo.edu  wrote:


add this line to /etc/named.conf

include locallyblockeddomains.zones;


contents of locallyblockeddomains.zones:

// This bind zone is intended to be included in a running dns server f
a local net
//
// It will return a 127.0.0.1 for the domains listed as malware
//
//  This is for locally determined domains we want blocked
//
//
zone r.im  {type master; file /etc/namedb/blockeddomain.hosts;};
snipped many more out
zone emailupgrader.clan.su {type master;file
/etc/named/blockeddomain.hosts;};




this is the /etc/namedb/blockeddomain.hosts file:

$TTL86400   ; one day

@   IN  SOA ns1.geneseo.edu coloccia.geneseo.edu (
2007112601  ; serial
28800   ; refresh  8 hours
7200; retry2 hours
864000  ; expire  10 days
86400 ) ; min ttl  1 day

IN  NS  ns1.geneseo.edu.
A   127.0.0.1
*   IN  A   127.0.0.1
*   IN  ::1
; This zone will kill all traffic to a listed domain




Done.

Add domains you want blocked to the locallyblockeddomains.zones file.


In my previous job, the cyber-security created a list of domains
from various sources.  They tested the file on a test BIND server
before loading the file into the AFS shared file system.  I had a cron
on my DNS servers that ran every 10 minutes that checked for a new file,
and if it saw one, it copied the file to the local disk and ran rndc
to reload the new config file.
--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread /dev/rob0
On Thu, Aug 30, 2012 at 03:18:25PM +0200, fddi wrote:
 On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote:
 On Thu, Aug 30, 2012 at 01:34:07PM +0100,
   Niall O'Reilly niall.orei...@ucd.ie wrote
   a message of 32 lines which said:
 
 Don't waste your time.
 
 This approach is superficial.
 
 http://www.bortzmeyer.org/images/please-close-gate.jpg :-)

 Often it is not you who have to decide what to do, but you
 receive orders.

People who don't fully understand an issue really do not have any 
business managing it. This is a basic law of nature.

 It is never a good thing to mock people.

People who have made bad decisions based on ignorance of the subject 
matter certainly do deserve criticism for what they have done, no? I 
think they do. The emperor is wearing no clothes!

Sometimes, humor is a good way to get the point across.

The proper thing to do, if in a position of authority, is to educate 
oneself on the matter at hand, and if unable for some reason, to pass 
authority to someone who DOES understand it.

DNS is not simple, but I bet I could spend a day or so with some non- 
technical person of reasonable intelligence and get him/her up to 
speed as to why ideas like this are bad.

No, it's not practical for every ignorant politician to hire a DNS- 
capable geek to help learn the basics, but lack of practicality does 
not make wrong any less wrong.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Kevin Darcy

On 8/30/2012 10:33 AM, Rick Coloccia wrote:

add this line to /etc/named.conf

include locallyblockeddomains.zones;


contents of locallyblockeddomains.zones:

// This bind zone is intended to be included in a running dns server 
for a local net

//
// It will return a 127.0.0.1 for the domains listed as malware
//
//  This is for locally determined domains we want blocked
//
//
zone r.im  {type master; file /etc/namedb/blockeddomain.hosts;};
snipped many more out
zone emailupgrader.clan.su {type master;file 
/etc/named/blockeddomain.hosts;};





this is the /etc/namedb/blockeddomain.hosts file:

$TTL86400   ; one day

@   IN  SOA ns1.geneseo.edu coloccia.geneseo.edu (
2007112601  ; serial
28800   ; refresh  8 hours
7200; retry2 hours
864000  ; expire  10 days
86400 ) ; min ttl  1 day

IN  NS  ns1.geneseo.edu.
A   127.0.0.1
*   IN  A   127.0.0.1
*   IN  ::1
; This zone will kill all traffic to a listed domain




Done.

Add domains you want blocked to the locallyblockeddomains.zones file.
The null or unspecified address -- 0.0.0.0 in IPv4, :: in IPv6 -- 
is generally considered the more polite and proper way to express 
don't ever try to connect to this.


If you put a loopback address in there, a poorly-coded app might end up 
spinning, connecting to itself. But the unspecified address gets stopped 
cold at the OS level so it's the preferred choice.


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ho to filter hundeds of domains ?

2012-08-30 Thread Mark Andrews

In message 1346342946.14282.32.ca...@mjelap.posix.co.za, Mark Elkins writes:
 On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote:
  On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
   On Thu, Aug 30, 2012 at 03:16:32PM +0200,
fddi f...@gmx.it wrote=20
a message of 15 lines which said:
  =20
   Actually many telephone companies in the world are doing this,=20
  =20
   They're wrong politically (censorship) and they're wrong technically
   (see O'Reilly's answer).
  =20
   Copying telephone companies is not a good idea for the Internet :-)
 =20
  Still, that kind of setup is *mandatory* for ISPs in Italy :-\
 
 Is the mandatory setup to actually use 'DNS' to block access to gambling
 sites? Its easy enough to script an automatic update if someone central
 and with the necessary authority decides what it not allowed (eg a
 governmental man). Could even stick the 'bad' names in DNS to do the
 distribution.
 
 Suggestion: Don't listen to Niall O'Reilly - although he may be right.
 (tongue firmly stuck in cheek)
 
 Note to self, run own recursive DNS resolver on my laptop whilst
 travelling in Italy.
 
 8.8.8.8 ?

Which is exactly why the DNS is the wrong level to do this at if
you have a legal obligation to block access.  The only way to do
that is to block the packets themselves.  Given these are gambling
sites the chance of collateral damage is minimal if you just block
all access to the ips in question.   Just make sure you can get
through to their nameservers so you can keep the list of IP addresses
to filter current.  

Mark

 --=20
   .  . ___. .__  Posix Systems - (South) Africa
  /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
 / |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users