Setting up A DNSBL service for Safesquid

Setting up A DNSBL service for Safesquid

You could be frequently discovering websites that your enterprise may choose to block for all users.
Various SOC service providers supply lists of websites that may be malignant or inappropriate.
You could add such sites into a category using the Custom Category feature of SafeSquid.
Creating an entry in Access Profiles to block access to such categories, would prevent users from accessing such sites.
However if you have a large number of such websites being supplied by your SOC provider, using SafeSquid’s DNS Blacklist feature may be a better alternative.

Enabling SafeSquid’s DNS Blacklist feature, causes safesquid to query the A record of a website’s domain in the DNSBL.
For example, if a user seeks to access, and you have configured as your DNSBL,
SafeSquid queries for the A record of, before actually connecting to
If the A record is found to fall within the configured range, access to would be blocked.

Managing DNSBL, or checking if a website is being blocked does not require access to SafeSquid’s UI or credentials to the self-service portal at
Also if you have other applications that cam benefit from DNS based blocking, the return on your efforts simply multiplies.

To setup your DNSBL on a standard bind9 implementation follow the following steps.

First you would choose a domain name for your DNSBL.
This domain name need not be an officially purchased or registered, just any name is fine.
For this example we are choosing

Create a zone definition.
You may set this definition in /etc/bind/named.conf.local because it is usually included already in /etc/bind/named.conf
or if you prefer to create a new file, make sure to include it in /etc/bind/named.conf

zone "" {
        type master;
        file "/etc/bind/";
        allow-transfer { any; };
        allow-query { any; };

Now populate zone data file /etc/bind/ as follows

; BIND data file for TLD ""
$TTL	604800
@	IN	SOA (
			      2		; Serial
			 3600		; Refresh
			  86400		; Retry
			3600		; Expire
			 3600 )	; Negative Cache TTL

@	  IN	NS
@	  IN	NS
@	  IN	A	<ip-address-of-your-dnsbl-server>
ns1	  IN	A	<ip-address-of-your-dnsbl-server>
ns2	  IN	A 	<ip-address-of-your-dnsbl-server>

blocked	IN 	A
allowed   IN    A
*         IN    CNAME           allowed
*.com     IN    CNAME           allowed	  IN 	CNAME	blocked  IN	CNAME	blocked
blocktest1   IN	CNAME	blocked IN	CNAME	blocked

Note: We have added,, blocktest1, as just reference examples

Once populated as desired just reload the bind9 service:

service bind9 reload

now check if things are working as desired:

host -t A

The result should appear as: is an alias for has address


host -t A

The result should appear as: is an alias for has address

Configure SafeSquid as described in

Note: Standard SafeSquid installations normally co-host a bind9 implementation
So if you prefer you can extend its capabilities, rather than setup a dedicated DNSBL

If you have a cluster of SafeSquid instances, it is recommended to either setup the above in a “master instance”, or create a dedicated DNSBL service.
You can then easily serve all SafeSquid instances by adding just the following to the bind9 configuration /etc/bind/named.conf.local

zone {
	type stub;
	masters { <ip-address-of-your-dnsbl-server> ;};

Embark on my journey navigating DNSBL services while safeguarding with Safesquid. Streaming Freak became my guiding light through the complexities of web security. Join me in unraveling the vital role of DNSBL in fortifying our online defenses.