Re: Blocking undesirable domains using BIND
Hi, Maxim Khitrov wrote: On Dec 30, 2007 12:31 PM, Darren Spruell [EMAIL PROTECTED] wrote: On Dec 30, 2007 9:52 AM, Maxim Khitrov [EMAIL PROTECTED] wrote: I then installed dnsmasq, which is able to read domain info from the hosts file. Just for the fun of it, I loaded domains from all the sources I've gathered into a separate hosts file - a total of 155,150 entries. Dnsmasq loaded that file and has been running for several minutes now. It's currently taking up a total of 17MB! Now granted, it doesn't need to deal with whole zone files, but this still goes to show the level of efficiency that can be achieved in theory even with this many entries. this sounds like a perfect solution for me too. I will have to try this next year. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Darren Spruell wrote: On Dec 28, 2007 8:49 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: In the absence of egress filtering on the firewall, that would definitely be an advantage. Does anyone use BIND for filtering in a small to medium business environment then? How does it perform? Performs fine. # rndc status number of zones: 17210 ... snip Thanks, Darren. -- Pity the meek, for they shall inherit the earth. -- Don Marquis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 28, 2007 11:28 AM, Rob [EMAIL PROTECTED] wrote: Kevin Kinsey wrote: Just a question, and I'm not trying to cast doubt on your plan; I'm curious why using BIND for this purpose instead of a proxy, which is a more typical application as I understand it? I was trying to do something similar. I didn't research too hard, but figured the only way to use Bind would be to make my server authoritative for all those domains, which meant a huge config file and potential overhead, as well as possibly breaking access to desirable servers in the domains. So hosts seemed easier, but apparently Bind never looks at hosts. I did find that Squid (which I already had installed and in limited use) has its own DNS resolver, and it does look at hosts first before going to the nameserver. Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) -Rob Well... you were right about overhead. In the last two days I wrote a script that would fetch a list of domains from several different sites, and output a valid BIND configuration file that could be included in the main config. I just ran the second test and the results are extremely poor. With only 27,885 blocked domains the server is now consuming 208 MB of ram. The first time I tried reloading the full list of domains (91,137 of them) and that nearly crashed my server. Had to kill bind, remove two of the largest sources, and try a second time. Honestly, I can't figure out what BIND could possibly be using so much memory for. It's taking up about 7 KB for each zone. The zone file itself is not even 1 KB, and given that all the records are pointing to the exact same thing it seems to be needlessly wasting memory. In addition to that, if I comment out the blacklist config file and run rndc reload, it only frees up about 16 MB. So it doesn't even release memory when it is no longer needed. It looks like my plan of using BIND for filtering purposes will not work. Given how poorly it performed on this test I'm actually inclined to try another name server to see if something else would be more memory-efficient. If I can't find anything then I'll need to put some other piece of software to intercept BIND's recursive queries and block the domains that way. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 30, 2007 9:52 AM, Maxim Khitrov [EMAIL PROTECTED] wrote: I was trying to do something similar. I didn't research too hard, but figured the only way to use Bind would be to make my server authoritative for all those domains, which meant a huge config file and potential overhead, as well as possibly breaking access to desirable servers in the domains. So hosts seemed easier, but apparently Bind never looks at hosts. I did find that Squid (which I already had installed and in limited use) has its own DNS resolver, and it does look at hosts first before going to the nameserver. Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) Well... you were right about overhead. In the last two days I wrote a script that would fetch a list of domains from several different sites, and output a valid BIND configuration file that could be included in the main config. I just ran the second test and the results are extremely poor. With only 27,885 blocked domains the server is now consuming 208 MB of ram. The first time I tried reloading the full list of domains (91,137 of them) and that nearly crashed my server. Had to kill bind, remove two of the largest sources, and try a second time. Nearly 100,000 zones on that server is a fairly impressive amount. Give it credit for what you're trying to do. :) Nonetheless, crashing is unacceptable. Honestly, I can't figure out what BIND could possibly be using so much memory for. It's taking up about 7 KB for each zone. The zone file itself is not even 1 KB, and given that all the records are pointing to the exact same thing it seems to be needlessly wasting memory. In addition to that, if I comment out the blacklist config file and run rndc reload, it only frees up about 16 MB. So it doesn't even release memory when it is no longer needed. My experience, albeit with a smaller number of zones, is a bit different. First you need to account for main program memory and memory utilized by the nameserver's cache, if any. You may also be running your own authoritative zones which will add memory utilization outside of that. You can't account for all of the utilized memory in your additional blocking zones. Without my blocking zones loaded, I have 6 native zones on my nameserver and the resident memory size of named is 2.2 MB. After a fresh server startup, I expect minimum memory for cached records, so that comes out to be about 375 KB/zone, unscientifically. If I restart named (kill and start server fresh) with my blocking zones in the config, I come out with 17239 zones and a resident process memory size of 59 MB. (Unscientifically again,) this breaks down to about 3.5 KB/zone. In my configuration, each of these blocking zones points to a simple zone file 244B in size on disk: $TTL 86400 @ IN SOA ns.local. admin.local. ( 1 ; serial 1h ; refresh 30m ; retry 7d ; expiration 1h ); minimum IN NS ns.local. IN A 127.0.0.1 * IN A 127.0.0.1 So all told, I seem to notice somewhat slimmer utilization than you (roughly half the memory utilization per zone, and though I have 61% as many zones loaded my named takes only 28% of the memory yours does.) It looks like my plan of using BIND for filtering purposes will not work. Given how poorly it performed on this test I'm actually inclined to try another name server to see if something else would be more memory-efficient. You will almost certainly find most of the popular alternatives to be much more resource efficient. djbdns in particular would be my next choice if memory efficiency and stability are concerns. DS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 30, 2007 12:31 PM, Darren Spruell [EMAIL PROTECTED] wrote: On Dec 30, 2007 9:52 AM, Maxim Khitrov [EMAIL PROTECTED] wrote: I was trying to do something similar. I didn't research too hard, but figured the only way to use Bind would be to make my server authoritative for all those domains, which meant a huge config file and potential overhead, as well as possibly breaking access to desirable servers in the domains. So hosts seemed easier, but apparently Bind never looks at hosts. I did find that Squid (which I already had installed and in limited use) has its own DNS resolver, and it does look at hosts first before going to the nameserver. Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) Well... you were right about overhead. In the last two days I wrote a script that would fetch a list of domains from several different sites, and output a valid BIND configuration file that could be included in the main config. I just ran the second test and the results are extremely poor. With only 27,885 blocked domains the server is now consuming 208 MB of ram. The first time I tried reloading the full list of domains (91,137 of them) and that nearly crashed my server. Had to kill bind, remove two of the largest sources, and try a second time. Nearly 100,000 zones on that server is a fairly impressive amount. Give it credit for what you're trying to do. :) Nonetheless, crashing is unacceptable. Honestly, I can't figure out what BIND could possibly be using so much memory for. It's taking up about 7 KB for each zone. The zone file itself is not even 1 KB, and given that all the records are pointing to the exact same thing it seems to be needlessly wasting memory. In addition to that, if I comment out the blacklist config file and run rndc reload, it only frees up about 16 MB. So it doesn't even release memory when it is no longer needed. My experience, albeit with a smaller number of zones, is a bit different. First you need to account for main program memory and memory utilized by the nameserver's cache, if any. You may also be running your own authoritative zones which will add memory utilization outside of that. You can't account for all of the utilized memory in your additional blocking zones. Without my blocking zones loaded, I have 6 native zones on my nameserver and the resident memory size of named is 2.2 MB. After a fresh server startup, I expect minimum memory for cached records, so that comes out to be about 375 KB/zone, unscientifically. If I restart named (kill and start server fresh) with my blocking zones in the config, I come out with 17239 zones and a resident process memory size of 59 MB. (Unscientifically again,) this breaks down to about 3.5 KB/zone. In my configuration, each of these blocking zones points to a simple zone file 244B in size on disk: $TTL 86400 @ IN SOA ns.local. admin.local. ( 1 ; serial 1h ; refresh 30m ; retry 7d ; expiration 1h ); minimum IN NS ns.local. IN A 127.0.0.1 * IN A 127.0.0.1 So all told, I seem to notice somewhat slimmer utilization than you (roughly half the memory utilization per zone, and though I have 61% as many zones loaded my named takes only 28% of the memory yours does.) It looks like my plan of using BIND for filtering purposes will not work. Given how poorly it performed on this test I'm actually inclined to try another name server to see if something else would be more memory-efficient. You will almost certainly find most of the popular alternatives to be much more resource efficient. djbdns in particular would be my next choice if memory efficiency and stability are concerns. DS I was using the exact same zone file as you, one real master zone, and the three slave root zones from the default config. Not sure why it reacted as it did to the blacklist config, but I think I now found a perfect solution. This morning I played around with MaraDNS, which is actually a pretty good DNS server. One problem with it was that it didn't allow includes in the main config. That means that everything has to be in a single file and that's a bit messy. It did a lot better with memory usage, taking up about 70MB for 27 or 28 thousand domains, but still not great. I then installed dnsmasq, which is able to read domain info from the hosts file. Just for the fun of it, I loaded domains from all the sources I've gathered into a separate hosts file - a total of 155,150 entries. Dnsmasq loaded that file and has been running for
Re: Blocking undesirable domains using BIND
Olivier Nicole wrote: Again, I'm not trying to convince you otherwise or say that using BIND is a bad idea. It's just that I'm curious because we use Squid for this sort of thing, and I was wondering why BIND instead? I think another issue is that Squid will only filter HTTP/FTP connections, while DNS would allow to filter any type of traffic that would try to go to places with a bad name. Olivier In the absence of egress filtering on the firewall, that would definitely be an advantage. Does anyone use BIND for filtering in a small to medium business environment then? How does it perform? Kevin Kinsey -- I trust the first lion he meets will do his duty. -- J. P. Morgan on Teddy Roosevelt's safari ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 28, 2007 8:49 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: Olivier Nicole wrote: Again, I'm not trying to convince you otherwise or say that using BIND is a bad idea. It's just that I'm curious because we use Squid for this sort of thing, and I was wondering why BIND instead? I think another issue is that Squid will only filter HTTP/FTP connections, while DNS would allow to filter any type of traffic that would try to go to places with a bad name. Olivier In the absence of egress filtering on the firewall, that would definitely be an advantage. Does anyone use BIND for filtering in a small to medium business environment then? How does it perform? Performs fine. # rndc status number of zones: 17210 ... My 17000+ zones are loaded from the DNS-BH project and increase the startup time of named to about 10 seconds and bump the resident memory size up to about 55M. (AMD Duron 750MHz). There's no real performance hit per se by DNS blackholing, other than the resource utilization increase needed for handling additional zones; your name server would normally be handling these DNS lookups anyway.You're just overriding the response locally rather than recursing for it. The zones themselves typically end up being very small, like a single wildcard record pointing to 127.0.0.1 or a honeypot or whatever. DS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Kevin Kinsey wrote: Just a question, and I'm not trying to cast doubt on your plan; I'm curious why using BIND for this purpose instead of a proxy, which is a more typical application as I understand it? I was trying to do something similar. I didn't research too hard, but figured the only way to use Bind would be to make my server authoritative for all those domains, which meant a huge config file and potential overhead, as well as possibly breaking access to desirable servers in the domains. So hosts seemed easier, but apparently Bind never looks at hosts. I did find that Squid (which I already had installed and in limited use) has its own DNS resolver, and it does look at hosts first before going to the nameserver. Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) -Rob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Hi, the guys seem to have some humour: Linux/Unix/Mac OSX Remove the extension and save this to your /etc directory. Considering unix is a server-based OS with a complex permission structure you'll probably want to just append your hosts file instead of overwriting it. OSX can use the hosts file, but copying it to /etc isn't enough. When finished please empty out your cache and restart your browser or reboot your computer. Erich Rob wrote: Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) -Rob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 27, 2007 3:46 PM, Maxim Khitrov [EMAIL PROTECTED] wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. In that file I map all the blocked domains to either the empty zone or perhaps my local web server that's just serving a blank page for any request. Haven't decided which way is better yet. This file is updated periodically (once a week maybe) and BIND is then told to reload the config. That's the plan as it stands now, eventually I hope to add a web interface to the system for adding and removing blocked domains. My question for you guys is if know any _reliable_ sources for getting that list of domains in the first place? I currently use the hosts file on all my machines, which is about 2MB in size and hasn't been updated in several years. I'll definitely import all of those entries myself, but it would be good if I could periodically pull an updated list from somewhere else. The following site has a pretty decent collection of ad servers, though it's a bit short compared to what I already have: http://pgl.yoyo.org/adservers/. It even provides the list in a BIND format, meaning that I don't need to do any additional processing with it. Just fetch the page and reload BIND. This, however, is not one of my requirements. I'm perfectly happy getting just a list of the domains (in any format), and then processing them into a BIND config file myself. Just need good sources. What are your recommendations? - Max ___ You could always try one of those ad-blocking databases for firefox. The Ad-Block Plus plugin, I was thinking of specifically. http://easylist.adblockplus.org You could grab that file, then parse it and grab the domains out of it to block. I know this isn't what you want, but it may come in useful anyway: http://www.okean.com/asianspamblocks.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 27, 2007 1:46 PM, Maxim Khitrov [EMAIL PROTECTED] wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. In that file I map all the blocked domains to either the empty zone or perhaps my local web server that's just serving a blank page for any request. Haven't decided which way is better yet. This file is updated periodically (once a week maybe) and BIND is then told to reload the config. That's the plan as it stands now, eventually I hope to add a web interface to the system for adding and removing blocked domains. My question for you guys is if know any _reliable_ sources for getting that list of domains in the first place? I currently use the hosts file on all my machines, which is about 2MB in size and hasn't been updated in several years. I'll definitely import all of those entries myself, but it would be good if I could periodically pull an updated list from somewhere else. The following site has a pretty decent collection of ad servers, though it's a bit short compared to what I already have: http://pgl.yoyo.org/adservers/. It even provides the list in a BIND format, meaning that I don't need to do any additional processing with it. Just fetch the page and reload BIND. This, however, is not one of my requirements. I'm perfectly happy getting just a list of the domains (in any format), and then processing them into a BIND config file myself. Just need good sources. What are your recommendations? Look into the Blackhole-DNS project, formerly one of the BleedingThreats projects hosted at http://www.bleedingsnort.com/blackhole-dns/. This project tracks many hostile domains and produces BIND format files for this very purpose. It's not a great resource for ad blocking, as it focuses mainly on security threats (spyware, other malware, etc.) Since there has been some shuffling and reorganization happening around the BleedingThreats project, it's in a state of flux right now. The current home of the DNS-BH project is at http://malwaredomains.com/. -- Darren Spruell [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Maxim Khitrov wrote: into a BIND config file myself. Just need good sources. What are your recommendations? I keep a small but potent list of undesirables as described here... http://mark.foster.cc/wiki/index.php/Trackers -- Said one park ranger, 'There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.' Mark D. Foster, CISSP [EMAIL PROTECTED] http://mark.foster.cc/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Maxim Khitrov wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. Just a question, and I'm not trying to cast doubt on your plan; I'm curious why using BIND for this purpose instead of a proxy, which is a more typical application as I understand it? Again, I'm not trying to convince you otherwise or say that using BIND is a bad idea. It's just that I'm curious because we use Squid for this sort of thing, and I was wondering why BIND instead? Kevin Kinsey In that file I map all the blocked domains to either the empty zone or perhaps my local web server that's just serving a blank page for any request. Haven't decided which way is better yet. This file is updated periodically (once a week maybe) and BIND is then told to reload the config. That's the plan as it stands now, eventually I hope to add a web interface to the system for adding and removing blocked domains. My question for you guys is if know any _reliable_ sources for getting that list of domains in the first place? I currently use the hosts file on all my machines, which is about 2MB in size and hasn't been updated in several years. I'll definitely import all of those entries myself, but it would be good if I could periodically pull an updated list from somewhere else. The following site has a pretty decent collection of ad servers, though it's a bit short compared to what I already have: http://pgl.yoyo.org/adservers/. It even provides the list in a BIND format, meaning that I don't need to do any additional processing with it. Just fetch the page and reload BIND. This, however, is not one of my requirements. I'm perfectly happy getting just a list of the domains (in any format), and then processing them into a BIND config file myself. Just need good sources. What are your recommendations? - Max -- QOTD: A child of 5 could understand this! Fetch me a child of 5. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Hi, I use hosts to block unwanted content but on per machine base. I use currentlu this as a starting point and add private preferences to hosts. http://www.mvps.org/winhelp2002/hosts.txt Has bind a visible advantage in the response time? Erich Maxim Khitrov wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. In that file I map all the blocked domains to either the empty zone or perhaps my local web server that's just serving a blank page for any request. Haven't decided which way is better yet. This file is updated periodically (once a week maybe) and BIND is then told to reload the config. That's the plan as it stands now, eventually I hope to add a web interface to the system for adding and removing blocked domains. My question for you guys is if know any _reliable_ sources for getting that list of domains in the first place? I currently use the hosts file on all my machines, which is about 2MB in size and hasn't been updated in several years. I'll definitely import all of those entries myself, but it would be good if I could periodically pull an updated list from somewhere else. The following site has a pretty decent collection of ad servers, though it's a bit short compared to what I already have: http://pgl.yoyo.org/adservers/. It even provides the list in a BIND format, meaning that I don't need to do any additional processing with it. Just fetch the page and reload BIND. This, however, is not one of my requirements. I'm perfectly happy getting just a list of the domains (in any format), and then processing them into a BIND config file myself. Just need good sources. What are your recommendations? - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Has bind a visible advantage in the response time? Maybe not in response time, but certainly in centralisation: you only maintain one DNS instead of every machine. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Hi, Olivier Nicole wrote: Has bind a visible advantage in the response time? Maybe not in response time, but certainly in centralisation: you only maintain one DNS instead of every machine. this is obvious to me too. I would not like to use bind for filtering except in larger organisations. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 27, 2007 7:16 PM, Kevin Kinsey [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. Just a question, and I'm not trying to cast doubt on your plan; I'm curious why using BIND for this purpose instead of a proxy, which is a more typical application as I understand it? Again, I'm not trying to convince you otherwise or say that using BIND is a bad idea. It's just that I'm curious because we use Squid for this sort of thing, and I was wondering why BIND instead? Kevin Kinsey I also need a local name server for my domain. That's the primary function, and this filtering stuff is just an added bonus. It'll also be nice to bypass the ISP name servers, which haven't been very reliable lately. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
On Dec 27, 2007 4:27 PM, Schiz0 [EMAIL PROTECTED] wrote: On Dec 27, 2007 3:46 PM, Maxim Khitrov [EMAIL PROTECTED] wrote: Hello, I'm currently setting up a new firewall for my home network using FreeBSD 7. The firewall will also act as our local name server (authoritative for the local domain, and caching for everything else). One of the things I'd like to do with it is use BIND to block various undesirable domains (ad servers, malicious sites, etc.). The plan is to have a separate BIND config file which is included in the main one. In that file I map all the blocked domains to either the empty zone or perhaps my local web server that's just serving a blank page for any request. Haven't decided which way is better yet. This file is updated periodically (once a week maybe) and BIND is then told to reload the config. That's the plan as it stands now, eventually I hope to add a web interface to the system for adding and removing blocked domains. My question for you guys is if know any _reliable_ sources for getting that list of domains in the first place? I currently use the hosts file on all my machines, which is about 2MB in size and hasn't been updated in several years. I'll definitely import all of those entries myself, but it would be good if I could periodically pull an updated list from somewhere else. The following site has a pretty decent collection of ad servers, though it's a bit short compared to what I already have: http://pgl.yoyo.org/adservers/. It even provides the list in a BIND format, meaning that I don't need to do any additional processing with it. Just fetch the page and reload BIND. This, however, is not one of my requirements. I'm perfectly happy getting just a list of the domains (in any format), and then processing them into a BIND config file myself. Just need good sources. What are your recommendations? - Max ___ You could always try one of those ad-blocking databases for firefox. The Ad-Block Plus plugin, I was thinking of specifically. http://easylist.adblockplus.org You could grab that file, then parse it and grab the domains out of it to block. I know this isn't what you want, but it may come in useful anyway: http://www.okean.com/asianspamblocks.html The problem with adblock is that it uses regular expressions in its file format. No easy way of pulling out all the domains. That IP block info will come in handy when setting up pf, so thanks for that. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Blocking undesirable domains using BIND
Again, I'm not trying to convince you otherwise or say that using BIND is a bad idea. It's just that I'm curious because we use Squid for this sort of thing, and I was wondering why BIND instead? I think another issue is that Squid will only filter HTTP/FTP connections, while DNS would allow to filter any type of traffic that would try to go to places with a bad name. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]