Setting up A DNSBL service for Safesquid
Posted: Fri Oct 14, 2022 11:20 am
You could be frequently discovering websites that your enterprise may choose to block for all users.
Various SOC service providers supply lists of websites that may be malignant or inappropriate.
You could add such sites into a category using the Custom Category feature of SafeSquid.
Creating an entry in Access Profiles to block access to such categories, would prevent users from accessing such sites.
However if you have a large number of such websites being supplied by your SOC provider, using SafeSquid's DNS Blacklist feature may be a better alternative.
Enabling SafeSquid's DNS Blacklist feature, causes safesquid to query the A record of a website's domain in the DNSBL.
For example, if a user seeks to access www.google.com, and you have configured in.dnsbl.org as your DNSBL,
SafeSquid queries for the A record of www.google.com.in.dnsbl.org, before actually connecting to www.google.com
If the A record is found to fall within the configured range, access to www.google.com would be blocked.
Managing DNSBL, or checking if a website is being blocked does not require access to SafeSquid's UI or credentials to the self-service portal at key.safesquid.com
Also if you have other applications that cam benefit from DNS based blocking, the return on your efforts simply multiplies.
To setup your DNSBL on a standard bind9 implementation follow the following steps.
First you would choose a domain name for your DNSBL.
This domain name need not be an officially purchased or registered, just any name is fine.
For this example we are choosing in.dnsbl.org
Step 1#
Create a zone definition.
You may set this definition in /etc/bind/named.conf.local because it is usually included already in /etc/bind/named.conf
or if you prefer to create a new file, make sure to include it in /etc/bind/named.conf
Now populate zone data file /etc/bind/db.in.dnsbl.org as follows
Note: We have added example.com, example.net, blocktest1, testblock.com as just reference examples
Once populated as desired just reload the bind9 service:
now check if things are working as desired:
The result should appears as:
Note: Standard SafeSquid installations normally co-host a bind9 implementation
So if you prefer you can extend its capabilities, rather than setup a dedicated DNSBL
If you have a cluster of SafeSquid instances, it is recommended to either setup the above in a "master instance", or create a dedicated DNSBL service.
You can then easily serve all SafeSquid instances by adding just the following to the bind9 configuration /etc/bind/named.conf.local
Various SOC service providers supply lists of websites that may be malignant or inappropriate.
You could add such sites into a category using the Custom Category feature of SafeSquid.
Creating an entry in Access Profiles to block access to such categories, would prevent users from accessing such sites.
However if you have a large number of such websites being supplied by your SOC provider, using SafeSquid's DNS Blacklist feature may be a better alternative.
Enabling SafeSquid's DNS Blacklist feature, causes safesquid to query the A record of a website's domain in the DNSBL.
For example, if a user seeks to access www.google.com, and you have configured in.dnsbl.org as your DNSBL,
SafeSquid queries for the A record of www.google.com.in.dnsbl.org, before actually connecting to www.google.com
If the A record is found to fall within the configured range, access to www.google.com would be blocked.
Managing DNSBL, or checking if a website is being blocked does not require access to SafeSquid's UI or credentials to the self-service portal at key.safesquid.com
Also if you have other applications that cam benefit from DNS based blocking, the return on your efforts simply multiplies.
To setup your DNSBL on a standard bind9 implementation follow the following steps.
First you would choose a domain name for your DNSBL.
This domain name need not be an officially purchased or registered, just any name is fine.
For this example we are choosing in.dnsbl.org
Step 1#
Create a zone definition.
You may set this definition in /etc/bind/named.conf.local because it is usually included already in /etc/bind/named.conf
or if you prefer to create a new file, make sure to include it in /etc/bind/named.conf
Code: Select all
zone "in.dnsbl.org" {
type master;
file "/etc/bind/db.in.dnsbl.org";
allow-transfer { any; };
allow-query { any; };
};
Code: Select all
;
; BIND data file for TLD ".in.dnsbl.org"
;
$TTL 604800
@ IN SOA in.dnsbl.org. root.in.dnsbl.org. (
2 ; Serial
3600 ; Refresh
86400 ; Retry
3600 ; Expire
3600 ) ; Negative Cache TTL
@ IN NS ns1.in.dnsbl.org.
@ IN NS ns2.in.dnsbl.org.
@ IN A <ip-address-of-your-dnsbl-server>
ns1 IN A <ip-address-of-your-dnsbl-server>
ns2 IN A <ip-address-of-your-dnsbl-server>
blocked IN A 127.0.0.4
example.com IN CNAME blocked
example.net IN CNAME blocked
blocktest1 IN CNAME blocked
testblock.com IN CNAME blocked
Once populated as desired just reload the bind9 service:
Code: Select all
service bind9 reload
Code: Select all
host -t A example.com.in.dnsbl.org
Configure SafeSquid as described in https://docs.safesquid.com/wiki/DNS_blacklistrediff.com.in.dnsbl.org is an alias for blocked.in.dnsbl.org.
blocked.in.dnsbl.org has address 127.0.0.4
Note: Standard SafeSquid installations normally co-host a bind9 implementation
So if you prefer you can extend its capabilities, rather than setup a dedicated DNSBL
If you have a cluster of SafeSquid instances, it is recommended to either setup the above in a "master instance", or create a dedicated DNSBL service.
You can then easily serve all SafeSquid instances by adding just the following to the bind9 configuration /etc/bind/named.conf.local
Code: Select all
zone in.dnsbl.org {
type stub;
masters { <ip-address-of-your-dnsbl-server> ;};
};