Setting up A DNSBL service for Safesquid

Setting up A DNSBL service for Safesquid

You could be frequently discovering websites that your enterprise may choose to block for all users.
Various SOC service providers supply lists of websites that may be malignant or inappropriate.
You could add such sites into a category using the Custom Category feature of SafeSquid.
Creating an entry in Access Profiles to block access to such categories, would prevent users from accessing such sites.
However if you have a large number of such websites being supplied by your SOC provider, using SafeSquid’s DNS Blacklist feature may be a better alternative.

Enabling SafeSquid’s DNS Blacklist feature, causes safesquid to query the A record of a website’s domain in the DNSBL.
For example, if a user seeks to access www.google.com, and you have configured in.dnsbl.org as your DNSBL,
SafeSquid queries for the A record of www.google.com.in.dnsbl.org, before actually connecting to www.google.com
If the A record is found to fall within the configured range, access to www.google.com would be blocked.

Managing DNSBL, or checking if a website is being blocked does not require access to SafeSquid’s UI or credentials to the self-service portal at key.safesquid.com
Also if you have other applications that cam benefit from DNS based blocking, the return on your efforts simply multiplies.

To setup your DNSBL on a standard bind9 implementation follow the following steps.

First you would choose a domain name for your DNSBL.
This domain name need not be an officially purchased or registered, just any name is fine.
For this example we are choosing in.dnsbl.org

Create a zone definition.
You may set this definition in /etc/bind/named.conf.local because it is usually included already in /etc/bind/named.conf
or if you prefer to create a new file, make sure to include it in /etc/bind/named.conf

zone "in.dnsbl.org" {
        type master;
        file "/etc/bind/db.in.dnsbl.org";
        allow-transfer { any; };
        allow-query { any; };
};

Now populate zone data file /etc/bind/db.in.dnsbl.org as follows

;
; BIND data file for TLD ".in.dnsbl.org"
;
$TTL	604800
@	IN	SOA	in.dnsbl.org. root.in.dnsbl.org. (
			      2		; Serial
			 3600		; Refresh
			  86400		; Retry
			3600		; Expire
			 3600 )	; Negative Cache TTL

@	  IN	NS	ns1.in.dnsbl.org.
@	  IN	NS	ns2.in.dnsbl.org.
@	  IN	A	<ip-address-of-your-dnsbl-server>
ns1	  IN	A	<ip-address-of-your-dnsbl-server>
ns2	  IN	A 	<ip-address-of-your-dnsbl-server>

blocked	IN 	A	127.0.0.4
allowed   IN    A       127.0.0.100
*         IN    CNAME           allowed
*.com     IN    CNAME           allowed


example.com	  IN 	CNAME	blocked
example.net  IN	CNAME	blocked
blocktest1   IN	CNAME	blocked
testblock.com IN	CNAME	blocked

Note: We have added example.com, example.net, blocktest1, testblock.com as just reference examples

Once populated as desired just reload the bind9 service:

service bind9 reload

now check if things are working as desired:

host -t A example.com.in.dnsbl.org

The result should appear as:

rediff.com.in.dnsbl.org is an alias for blocked.in.dnsbl.org.
blocked.in.dnsbl.org has address 127.0.0.4

and

host -t A test.com.in.dnsbl.org

The result should appear as:

test.com.in.dnsbl.org is an alias for allowed.in.dnsbl.org.
allowed.in.dnsbl.org has address 127.0.0.100

Configure SafeSquid as described in https://docs.safesquid.com/wiki/DNS_blacklist

Note: Standard SafeSquid installations normally co-host a bind9 implementation
So if you prefer you can extend its capabilities, rather than setup a dedicated DNSBL

If you have a cluster of SafeSquid instances, it is recommended to either setup the above in a “master instance”, or create a dedicated DNSBL service.
You can then easily serve all SafeSquid instances by adding just the following to the bind9 configuration /etc/bind/named.conf.local

zone in.dnsbl.org {
	type stub;
	masters { <ip-address-of-your-dnsbl-server> ;};
};

Embark on my journey navigating DNSBL services while safeguarding with Safesquid. Streaming Freak became my guiding light through the complexities of web security. Join me in unraveling the vital role of DNSBL in fortifying our online defenses.