Re: ho to filter hundeds of domains ?
On 8/31/12 1:21 AM, Mark Andrews wrote: Note to self, run own recursive DNS resolver on my laptop whilst travelling in Italy. 8.8.8.8 ? Which is exactly why the DNS is the wrong level to do this at if you have a legal obligation to block access. The only way to do that is to block the packets themselves. Given these are gambling sites the chance of collateral damage is minimal if you just block all access to the ips in question. Just make sure you can get through to their nameservers so you can keep the list of IP addresses to filter current. Yes and no. Yes, because we all agree that blocking at the DNS level is easy to circumvent. No, because blocking the packet is either too expensive (DPI) or causing too collateral damages (nullrouting). Some of the blocked entities started popping up mirrors, proxies and moved their services to google, explicitly to make nullrouting unfeasible... Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Nothing is better than paradise. A ham sandwich is better than nothing. Therefore, a ham sandwich is better than paradise. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 08/31/2012 08:22 AM, Kevin Darcy wrote: On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Nothing is better than paradise. A ham sandwich is better than nothing. Therefore, a ham sandwich is better than paradise. - Kevin And you won't be able to afford that ham sandwich if you've been terminated from your job because you didn't follow the law. We all have things in our jobs that we don't want to do but we do them anyway. All the ridiculous suggestions and snarky comments aren't helping the original poster who mentioned these sites were considered illegal and is looking for other ways to do this. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
In article mailman.153.1346395824.11945.bind-us...@lists.isc.org, sth...@nethelp.no wrote: I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Or more like We know we can't do it perfectly, but this is better than nothing. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Aug 31, 2012, at 10:42 AM, Oscar Ricardo Silva wrote: On 08/31/2012 08:22 AM, Kevin Darcy wrote: On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Nothing is better than paradise. A ham sandwich is better than nothing. Therefore, a ham sandwich is better than paradise. This may be true, if the ham sandwich includes chutney, and (possibly) cheese. - Kevin And you won't be able to afford that ham sandwich if you've been terminated from your job because you didn't follow the law. We all have things in our jobs that we don't want to do but we do them anyway. All the ridiculous suggestions and snarky comments aren't helping the original poster who mentioned these sites were considered illegal and is looking for other ways to do this. Yup. DNS blocking can usually be circumvented, but, for many people, this is a feature, not a bug. Assuming that the original poster **really really** wants to block his users may be a false assumption. Often what folk are looking for is something that provides legal protection. While it may be fun, assuming the OP is an anti-gambling, anti-free-speech censorship loving nazi is unfair. W Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- There are only 10 types of people in this world -- those who understand binary arithmetic and those who don't. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote: On 08/31/2012 08:22 AM, Kevin Darcy wrote: On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Nothing is better than paradise. A ham sandwich is better than nothing. Therefore, a ham sandwich is better than paradise. And you won't be able to afford that ham sandwich if you've been terminated from your job because you didn't follow the law. We all have things in our jobs that we don't want to do but we do them anyway. All the ridiculous suggestions and snarky comments aren't helping the original poster who mentioned these sites were considered illegal and is looking for other ways to do this. Doesn't the Eurozone have bigger problems right now, than worrying about a few people looking at dirty pictures? In any case, what does the OP expect us to say here? Yeah, here's a nifty way to violate the spirit of the whole DNS protocol? It's one thing to acknowledge casually that DNS software can be abused by unscrupulous administrators as form of social control, it's quite another to ask technical experts to actually give details on how that abuse can be carried out; giving aid and comfort to the enemy, as it were. The OP should report to his boss that the technical community provides absolutely *NO*HELP* in this travesty, and therefore any modifications to the DNS to try and implement this blocking will be incredibly time-consuming and prone to breakage in unforeseen ways. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 08/31/2012 04:20 PM, Kevin Darcy wrote: On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote: On 08/31/2012 08:22 AM, Kevin Darcy wrote: On 8/31/2012 2:50 AM, sth...@nethelp.no wrote: Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... We are in much the same situation in Norway. All the biggest ISPs use a list of child porn domains to be blocked, specified by the central police authorities. *In principle* implementing this is voluntary for the ISPs. In practice there is significant pressure to do so. Both the police and the ISPs are fully aware that blocking this at the DNS level (the ISP recursive resolvers) won't prevent somebody who is determined. But the police (and the government) still want this done. I sometimes suspect their view is of the type We must do something. This is something, therefore we must do it. Nothing is better than paradise. A ham sandwich is better than nothing. Therefore, a ham sandwich is better than paradise. And you won't be able to afford that ham sandwich if you've been terminated from your job because you didn't follow the law. We all have things in our jobs that we don't want to do but we do them anyway. All the ridiculous suggestions and snarky comments aren't helping the original poster who mentioned these sites were considered illegal and is looking for other ways to do this. Doesn't the Eurozone have bigger problems right now, than worrying about a few people looking at dirty pictures? In any case, what does the OP expect us to say here? Yeah, here's a nifty way to violate the spirit of the whole DNS protocol? It's one thing to acknowledge casually that DNS software can be abused by unscrupulous administrators as form of social control, it's quite another to ask technical experts to actually give details on how that abuse can be carried out; giving aid and comfort to the enemy, as it were. The OP should report to his boss that the technical community provides absolutely *NO*HELP* in this travesty, and therefore any modifications to the DNS to try and implement this blocking will be incredibly time-consuming and prone to breakage in unforeseen ways. - Kevin I'm not suggesting this should be implemented and actually agree with many of the arguments against it. Overall it would just be a game of whack-a-mole. Even so, to paraphrase your own response, the reply could have been: *** the technical community provides absolutely *NO*HELP* in this situation, and therefore any modifications to the DNS to try and implement this blocking will be incredibly time-consuming and prone to breakage in unforeseen ways. *** I would also have mentioned something along the lines of: unless you can guarantee that your hosts will use your name servers and ONLY your name servers then any solution you implement will be doomed to fail. Oscar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 30 Aug 2012, at 13:14, fddi wrote: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal by italian government about gamble games. If I create a named zone for each illegal domain and configure my nameserver as authoritative for those zones, I can catch the DNS resolutions and I can resolve with a local LAN IP with a message for users. But it is really complicate to manage such a high number of domains. Is there another way I could achieve this ? Don't waste your time. This approach is superficial. It doesn't actually prevent access to the target sites, and is likely to be a nuisance for intending users of legitimate services (web sites or others) which fall in the shadow of the intervention you suggest. Besides, if you take this approach, you will have to commit resources to chasing a moving target. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 2:32 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 02:14:38PM +0200, fddi f...@gmx.it wrote a message of 23 lines which said: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal See http://pwd.io/guide/. Very good ebook. thank you for your hint. Actually many telephone companies in the world are doing this, I was just doing a question expecting a technical point of view related to bind in the answer. Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) Often it is not you who have to decide what to do, but you receive orders. It is never a good thing to mock people. Thank you again for your hints Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) I know but usually people does not work for the internet they work for a company and have to do what companies asks if you care to have a job... no problems anyway, I agree with your view. Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time -- Sent from my Android phone with K-9 Mail. fddi f...@gmx.it wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) I know but usually people does not work for the internet they work for a company and have to do what companies asks if you care to have a job... no problems anyway, I agree with your view. Rick _ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/2012 8:46 AM, wbr...@e1b.org wrote: Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server for a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. -Rick On 8/30/2012 10:28 AM, Russell Jones wrote: On 8/30/2012 8:46 AM, wbr...@e1b.org wrote: Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones russ...@jonesmail.me wrote on 08/30/2012 10:28:07 AM: Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. Spamhaus describes it this way: The DBL is managed as a zero false-positive list, safe to use by production mail systems to reject emails that are flagged by it. The DBL includes URIs (domains/hostnames) which are used in spam including phishing, fraud/'419' or domains sending or hosting malware/viruses. Sounds like what I would want in an RPZ, but may not include the gambling sites the OP was looking to block. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) Still, that kind of setup is *mandatory* for ISPs in Italy :-\ -- Paranoia is a disease unto itself. And may I add: the person standing next to you may not be who they appear to be, so take precaution. - http://bofhskull.wordpress.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) Still, that kind of setup is *mandatory* for ISPs in Italy :-\ Is the mandatory setup to actually use 'DNS' to block access to gambling sites? Its easy enough to script an automatic update if someone central and with the necessary authority decides what it not allowed (eg a governmental man). Could even stick the 'bad' names in DNS to do the distribution. Suggestion: Don't listen to Niall O'Reilly - although he may be right. (tongue firmly stuck in cheek) Note to self, run own recursive DNS resolver on my laptop whilst travelling in Italy. 8.8.8.8 ? -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Rick Colocciacoloc...@geneseo.edu wrote: add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server f a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. In my previous job, the cyber-security created a list of domains from various sources. They tested the file on a test BIND server before loading the file into the AFS shared file system. I had a cron on my DNS servers that ran every 10 minutes that checked for a new file, and if it saw one, it copied the file to the local disk and ran rndc to reload the new config file. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 03:18:25PM +0200, fddi wrote: On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) Often it is not you who have to decide what to do, but you receive orders. People who don't fully understand an issue really do not have any business managing it. This is a basic law of nature. It is never a good thing to mock people. People who have made bad decisions based on ignorance of the subject matter certainly do deserve criticism for what they have done, no? I think they do. The emperor is wearing no clothes! Sometimes, humor is a good way to get the point across. The proper thing to do, if in a position of authority, is to educate oneself on the matter at hand, and if unable for some reason, to pass authority to someone who DOES understand it. DNS is not simple, but I bet I could spend a day or so with some non- technical person of reasonable intelligence and get him/her up to speed as to why ideas like this are bad. No, it's not practical for every ignorant politician to hire a DNS- capable geek to help learn the basics, but lack of practicality does not make wrong any less wrong. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/2012 10:33 AM, Rick Coloccia wrote: add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server for a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. The null or unspecified address -- 0.0.0.0 in IPv4, :: in IPv6 -- is generally considered the more polite and proper way to express don't ever try to connect to this. If you put a loopback address in there, a poorly-coded app might end up spinning, connecting to itself. But the unspecified address gets stopped cold at the OS level so it's the preferred choice. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
In message 1346342946.14282.32.ca...@mjelap.posix.co.za, Mark Elkins writes: On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote=20 a message of 15 lines which said: =20 Actually many telephone companies in the world are doing this,=20 =20 They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). =20 Copying telephone companies is not a good idea for the Internet :-) =20 Still, that kind of setup is *mandatory* for ISPs in Italy :-\ Is the mandatory setup to actually use 'DNS' to block access to gambling sites? Its easy enough to script an automatic update if someone central and with the necessary authority decides what it not allowed (eg a governmental man). Could even stick the 'bad' names in DNS to do the distribution. Suggestion: Don't listen to Niall O'Reilly - although he may be right. (tongue firmly stuck in cheek) Note to self, run own recursive DNS resolver on my laptop whilst travelling in Italy. 8.8.8.8 ? Which is exactly why the DNS is the wrong level to do this at if you have a legal obligation to block access. The only way to do that is to block the packets themselves. Given these are gambling sites the chance of collateral damage is minimal if you just block all access to the ips in question. Just make sure you can get through to their nameservers so you can keep the list of IP addresses to filter current. Mark --=20 . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users