Monday, April 22, 2019

dns blackhole with bind nameserver

   Setting a DNS blackhole to block malicious sites is not hard and is not new. The new term "PI hole" is nothing else than a pi machine running a dns server with additional files for settings.
    If you don't want to buy a new machine only for setting ap an adblocker you can use your own machine and a personal dns server. Read the following, is very easy to do, nothing special complicated.
    I use bind nameserver on linux but you can use whatever operating system, i think bind nameserver is running on windows too.
   Nothing special here, we want to block some sites at DNS server level so to all apps running on machines using that specific dns server aren't capable of reaching those sites.

  Appart from configuration files bundled with bind nameserver, you need only two more files and a little modification in named.conf file.

  In named.conf file add this at the end:
include "/etc/bind/blocked.conf.zones";

  Create a new file in /etc/bind an name that file blocked.conf.zones

My blocked.conf.zones file is like this:

 zone "pagead2.googlesyndication.com" { type master; notify no; file "/etc/bind/null.zone.file"; };
zone "googleadservices.com"  { type master; notify no; file "/etc/bind/null.zone.file"; };
zone "myphonenumbers-pa.googleapis.com" { type master; notify no; file "/etc/bind/null.zone.file"; };

    We need to create a new file in the same directory /etc/bind. Name that file null.zone.file

    My null.zone.file  file is like this:

$TTL    600
@                       1D IN SOA       localhost root (
                                        42              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        5 IN A          127.0.0.1
        ;     *       IN      A          127.0.0.1



    And that's it! Nothing more, nothing less!

    For every site you want to block you need to add a new line in blocked.conf.zones file, i.e. if you want to block adservices.com site you will have to add a new line and write
zone "adservices.com" { type master; notify no; file "/etc/bind/null.zone.file"; };

That's it!

If you want a large list with malicious sites you can search on duckduckgo, there's a lot of lists there!

=========

    One more step, don't forget to set your dns server to match your local dns server. (instead of 8.8.8.8 or 4.2.2.1 or other internet nameservers you have to use 127.0.0.1 or localhost or whatever interface you are using in bind settings. Listen ports, net interfaces and access control list (i.e. who can use your dns server) - all these settings made for bind nameserver are up to you and must be configured by you - every machine has a specific environment. Fortunately, these settings are not complicated at all and you can do it after 5 minutes reading on internet.

=============
  Tested and working on entire LAN, for pc's and phones!@

No comments:

Post a Comment