LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
LinkBack Search this Thread
Old 01-07-2012, 02:23 PM   #1
E71
LQ Newbie
 
Registered: Oct 2007
Distribution: CentOS 5.3
Posts: 20

Rep: Reputation: 0
Block sites using Bind DNS Server...


Hi Guys,

I have a Bind DNS Server on my Network that all our machines use, however I would very much like to be able to block certain sites at scheduled times of the day.

We used to use OpenDNS for this but of course they don't have any scheduling options as far as I'm aware -- plus we'd have more control over something local.

Does anyone know of such software for CentOS? Preferably something that allows groups of domains (eg. Social Networking, Games), scheduling (or some API I can use to write my own scheduled crons)...

Thank you kindly,
E71
 
Old 01-07-2012, 03:02 PM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,689

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
@ Reply

Hi E71,

DNS blocking approach is possible as you can see from the following link: http://www.deer-run.com/~hal/sysadmin/dns-advert.html

As you can see you need to edit /etc/named.conf file for the domains that you want to block. The automation that you are looking for is also possible using crontab. However, this will interrupt the internet connectivity.

I am talking about the following approach. Let say you decided to block the sites between 12 noon to 1400 hrs. Here is what you did:

1. Set up a cronjob to run at 12 that will stop bind.
2. Rename /etc/named.conf /etc/named.conf.original
3. Rename /etc/named.conf.edited (This is the edited file which contains blocked domains) to /etc/named.conf
4. Start bind

then at 1400 hrs another cronjob will run which will perform the following:

1. Stop bind.
2. Rename /etc/named.conf to /etc/named.conf.edited
3. Rename /etc/named.conf.original to /etc/named.conf
4. Start bind

As you can see that you have restart bind for the changes to take effect. This will interrupt internet and I don't think so that users will be happy about this.

I would suggest using iptables approach and run the cronjob against it. Here is how it will go:

1. cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup (This step is for backup)
2. Edit iptables rules to block the domains that you want.
3. cp /etc/sysconfig/iptables /etc/sysconfig/iptables.edited

Now you can switch using iptables file using cronjob as follows:

At 12 noon - cronjob

1. service iptables stop
2. mv /etc/sysconfig/iptables /etc/sysconfig/iptables.original
3. mv /etc/sysconfig/iptables.edited /etc/sysconfig/iptables
4. service iptables save
5. service iptables start

At 14 hrs - cronjob

1. service iptables stop
2. mv /etc/sysconfig/iptables /etc/sysconfig/iptables.edited
3. mv /etc/sysconfig/iptables.original /etc/sysconfig/iptables
4. service iptables save
5. service iptables start

Note: Though I have mentioned the step for backup. Make sure yourself that you take a backup to USB or at some other place of the configuration files that you will going to edit.
 
1 members found this post helpful.
Old 01-10-2012, 07:20 PM   #3
E71
LQ Newbie
 
Registered: Oct 2007
Distribution: CentOS 5.3
Posts: 20

Original Poster
Rep: Reputation: 0
Thumbs up

Many thanks for the suggestion T3RM1NVT0R.

Was hoping for something ready to use, possibly as proxy to the DNS server with web interface for adding filters, but a couple of cron scripts should do nicely until then.

Thanks again,
E71
 
Old 01-10-2012, 10:09 PM   #4
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
Your question title is "Block sites using BIND DNS Server" but at the end of your question you say
Quote:
Does anyone know of such software for CentOS? Preferably something that allows groups of domains
and then
Quote:
Was hoping for something ready to use, possibly as proxy to the DNS
To me, those statements conflict. If you want to block the sites using BIND, then I'm not sure why you would be looking for the name of some software... you already know it: BIND

I'm not trying to nit-pick, but I saw your post before and decided not to respond because the title implied a BIND-only solution to me. That may still be the case (i.e. maybe you're looking for some sort of plug-in for BIND), but on the chance that you're open to a non-BIND solution:

Squid (proxy server)

While I have not used it (yet), a few web searches indicate that Squid is able to limit web-site access based on time of day.

Last edited by Dark_Helmet; 01-10-2012 at 10:11 PM.
 
Old 01-11-2012, 12:45 AM   #5
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
A bind (layer 7) restriction may work in an environment where nobody has any understanding of how the internet works, but its not going to going to stop anybody that knows what an IP address is. My point being restrict bind all you like, that will only stop domain names from resolving, you will still be able to access facebook (or whatever) by typing "66.220.149.11" into your browser.

The iptables solution is better, as it will stop it at layer 3 (IP addresses), although, it will require you to look up IP's for every site you want to allow, and then create rules allowing them, and dropping everything else. Or vice versa, either way, it will result in a lot of rules, and a lot of grunt work to establish something workable.

The better option, as indicated by Dark_Helmet, would be to use squid + squidgaurd, using time contstraints, where there is heaps of different black/whitelist files available online where the grunt work is done for you.
http://www.squidguard.org/Doc/extended.html#times
 
Old 01-11-2012, 11:49 AM   #6
jefro
Guru
 
Registered: Mar 2008
Posts: 10,255

Rep: Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256Reputation: 1256
Wonder if it would be worth it to load a virtual machine running some more advanced firewall like untangle or other such as openbsd pf.
 
Old 01-13-2012, 01:48 PM   #7
RobertEachus
Member
 
Registered: Dec 2011
Posts: 32

Rep: Reputation: 8
Quote:
Originally Posted by T3RM1NVT0R View Post
However, this will interrupt the internet connectivity.
The interruption is not required, just a minor slowdown as bind rebuilds the cache.

Bind reads its config file only at start up so the file won't be locked, skip the shutdown step in the cron job. Just go ahead and swap the files. Then you just need to tell bind to read the configuration file again in the cron job, RNDC can tell named to do this.
rndc reload
Then just to be a little more sure the cut off is as sharp as it can be;
rndc flush

I would set up two config files in addition to the named.conf and copy them over at the required times, This way you never have a cron job modifying the "master" config files. Lets call them /etc/named.conf.blocking & /etc/named.conf.normal

I would also set up a cute little sh script to make things easier. Just remember to put the full path of the script in the cron job. You may also need to fill out the script with the full path for rndc & pass args to tell it where the key file is. This should also let you swap modes easily if the server is ever down during one of the cut over intervals. If you wanted to get really fancy you could also modify the init.d file for named to check the time of day before it starts and run the sh script with the correct option for that time of day.

With the script below you should only need to do the following in the cron job.
./dnsblocking.sh start
or
./dnsblocking.sh stop

dnsblocking.sh
Code:
#!/bin/sh
operation=other
if [ "%1" == "start" ]; then
operation=start
rm -f /etc/named.conf
cp /etc/named.conf.blocking /etc/named.conf
rndc reload
rndc flush	
fi
if [ "%1" == "stop" ]; then
operation=stop
rm -f /etc/named.conf
cp /etc/named.conf.normal /etc/named.conf
rndc reload
rndc flush
fi
if [ "$operation" == "other" ] then
echo %1 is not a valid operation please enter either start or stop. Case sensitive.
On a side note I do not advocate DNS blocking as it can be easily bypassed. As soon as 1 person in a location figures it out it won't be long before half the office knows the IP for facebook by heart.
 
Old 08-31-2012, 07:36 PM   #8
funkyflo
LQ Newbie
 
Registered: Oct 2009
Location: austria/europe
Distribution: debian
Posts: 8

Rep: Reputation: 0
Thumbs down Verry great idea

HI GUYS!


Blocking ads with bind dns is a verry great idea!! I am currently setting up debian minim on my asus eee pc 4g in order to run bind9 and dhcp deamon in my home network.


I am stuck of theese facebook ads. I dont want to get facebook ads via facebook for andorid. on my computer i blocked them with a firefox plugin. how to block facebook ads within the facebook for andorid app itself??


Does someone of you know the hostname used in combination with ads on andorid app`? I do not want to block facevook completly,
i am just loking for a hostname i can block with my own dns server in order the facebook ads do not more get displayed via facebook for android.....




Thanks verry much for any hints, and great idea it is that somebody had: blocking ads with your own bind dns...


Florian
 
  


Reply

Tags
bind, bind9, dns, family, scheduling


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind.DNS Help needed on Split DNS server manya Linux - Server 3 10-28-2010 08:39 AM
squid 2.6 not blocking sites even i entered ACL to block sites mohantorvalds Linux - Server 1 01-08-2009 04:17 AM
Is it possible to block third party sites from server? usagichan Linux - Security 4 10-30-2008 11:32 PM
How to get Windows Clients to be served DNS from a Linux BIND-DNS Server texmansru47 Linux - Networking 12 07-10-2008 07:06 PM


All times are GMT -5. The time now is 09:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration