Block sites using Bind DNS Server...

E71 · 01-07-2012, 02:23 PM

Hi Guys,

I have a Bind DNS Server on my Network that all our machines use, however I would very much like to be able to block certain sites at scheduled times of the day.

We used to use OpenDNS for this but of course they don't have any scheduling options as far as I'm aware -- plus we'd have more control over something local.

Does anyone know of such software for CentOS? Preferably something that allows groups of domains (eg. Social Networking, Games), scheduling (or some API I can use to write my own scheduled crons)...

Thank you kindly,
E71

T3RM1NVT0R · 01-07-2012, 03:02 PM

Hi E71,

DNS blocking approach is possible as you can see from the following link: http://www.deer-run.com/~hal/sysadmin/dns-advert.html

As you can see you need to edit /etc/named.conf file for the domains that you want to block. The automation that you are looking for is also possible using crontab. However, this will interrupt the internet connectivity.

I am talking about the following approach. Let say you decided to block the sites between 12 noon to 1400 hrs. Here is what you did:

1. Set up a cronjob to run at 12 that will stop bind.
2. Rename /etc/named.conf /etc/named.conf.original
3. Rename /etc/named.conf.edited (This is the edited file which contains blocked domains) to /etc/named.conf
4. Start bind

then at 1400 hrs another cronjob will run which will perform the following:

1. Stop bind.
2. Rename /etc/named.conf to /etc/named.conf.edited
3. Rename /etc/named.conf.original to /etc/named.conf
4. Start bind

As you can see that you have restart bind for the changes to take effect. This will interrupt internet and I don't think so that users will be happy about this.

I would suggest using iptables approach and run the cronjob against it. Here is how it will go:

1. cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup (This step is for backup)
2. Edit iptables rules to block the domains that you want.
3. cp /etc/sysconfig/iptables /etc/sysconfig/iptables.edited

Now you can switch using iptables file using cronjob as follows:

At 12 noon - cronjob

1. service iptables stop
2. mv /etc/sysconfig/iptables /etc/sysconfig/iptables.original
3. mv /etc/sysconfig/iptables.edited /etc/sysconfig/iptables
4. service iptables save
5. service iptables start

At 14 hrs - cronjob

1. service iptables stop
2. mv /etc/sysconfig/iptables /etc/sysconfig/iptables.edited
3. mv /etc/sysconfig/iptables.original /etc/sysconfig/iptables
4. service iptables save
5. service iptables start

Note: Though I have mentioned the step for backup. Make sure yourself that you take a backup to USB or at some other place of the configuration files that you will going to edit.

E71 · 01-10-2012, 07:20 PM

Many thanks for the suggestion T3RM1NVT0R.

Was hoping for something ready to use, possibly as proxy to the DNS server with web interface for adding filters, but a couple of cron scripts should do nicely until then.

Thanks again,
E71

Dark_Helmet · 01-10-2012, 10:09 PM

Your question title is "Block sites using BIND DNS Server" but at the end of your question you say

Quote:

Does anyone know of such software for CentOS? Preferably something that allows groups of domains

and then

Quote:

Was hoping for something ready to use, possibly as proxy to the DNS

To me, those statements conflict. If you want to block the sites using BIND, then I'm not sure why you would be looking for the name of some software... you already know it: BIND

I'm not trying to nit-pick, but I saw your post before and decided not to respond because the title implied a BIND-only solution to me. That may still be the case (i.e. maybe you're looking for some sort of plug-in for BIND), but on the chance that you're open to a non-BIND solution:

Squid (proxy server)

While I have not used it (yet), a few web searches indicate that Squid is able to limit web-site access based on time of day.

fukawi1 · 01-11-2012, 12:45 AM

A bind (layer 7) restriction may work in an environment where nobody has any understanding of how the internet works, but its not going to going to stop anybody that knows what an IP address is. My point being restrict bind all you like, that will only stop domain names from resolving, you will still be able to access facebook (or whatever) by typing "66.220.149.11" into your browser.

The iptables solution is better, as it will stop it at layer 3 (IP addresses), although, it will require you to look up IP's for every site you want to allow, and then create rules allowing them, and dropping everything else. Or vice versa, either way, it will result in a lot of rules, and a lot of grunt work to establish something workable.

The better option, as indicated by Dark_Helmet, would be to use squid + squidgaurd, using time contstraints, where there is heaps of different black/whitelist files available online where the grunt work is done for you.
http://www.squidguard.org/Doc/extended.html#times

jefro · 01-11-2012, 11:49 AM

Wonder if it would be worth it to load a virtual machine running some more advanced firewall like untangle or other such as openbsd pf.

RobertEachus · 01-13-2012, 01:48 PM

Quote:

Originally Posted by T3RM1NVT0R

However, this will interrupt the internet connectivity.

The interruption is not required, just a minor slowdown as bind rebuilds the cache.

Bind reads its config file only at start up so the file won't be locked, skip the shutdown step in the cron job. Just go ahead and swap the files. Then you just need to tell bind to read the configuration file again in the cron job, RNDC can tell named to do this.
rndc reload
Then just to be a little more sure the cut off is as sharp as it can be;
rndc flush

I would set up two config files in addition to the named.conf and copy them over at the required times, This way you never have a cron job modifying the "master" config files. Lets call them /etc/named.conf.blocking & /etc/named.conf.normal

I would also set up a cute little sh script to make things easier. Just remember to put the full path of the script in the cron job. You may also need to fill out the script with the full path for rndc & pass args to tell it where the key file is. This should also let you swap modes easily if the server is ever down during one of the cut over intervals. If you wanted to get really fancy you could also modify the init.d file for named to check the time of day before it starts and run the sh script with the correct option for that time of day.

With the script below you should only need to do the following in the cron job.
./dnsblocking.sh start
or
./dnsblocking.sh stop

dnsblocking.sh

Code:

#!/bin/sh
operation=other
if [ "%1" == "start" ]; then
operation=start
rm -f /etc/named.conf
cp /etc/named.conf.blocking /etc/named.conf
rndc reload
rndc flush	
fi
if [ "%1" == "stop" ]; then
operation=stop
rm -f /etc/named.conf
cp /etc/named.conf.normal /etc/named.conf
rndc reload
rndc flush
fi
if [ "$operation" == "other" ] then
echo %1 is not a valid operation please enter either start or stop. Case sensitive.

On a side note I do not advocate DNS blocking as it can be easily bypassed. As soon as 1 person in a location figures it out it won't be long before half the office knows the IP for facebook by heart.

funkyflo · 08-31-2012, 07:36 PM

HI GUYS!

Blocking ads with bind dns is a verry great idea!! I am currently setting up debian minim on my asus eee pc 4g in order to run bind9 and dhcp deamon in my home network.

I am stuck of theese facebook ads. I dont want to get facebook ads via facebook for andorid. on my computer i blocked them with a firefox plugin. how to block facebook ads within the facebook for andorid app itself??

Does someone of you know the hostname used in combination with ads on andorid app`? I do not want to block facevook completly,
i am just loking for a hostname i can block with my own dns server in order the facebook ads do not more get displayed via facebook for android.....

Thanks verry much for any hints, and great idea it is that somebody had: blocking ads with your own bind dns...

Florian