If you wish to implement a own DNS blacklist (e.g. because you wish to import one from the lists you found), then this could be build for some users (not a big company) based on an Raspberry PI. Setting them up required only 15 minutes.

In that example I expect that your LAN is 192.168.1.* and the DNS substing herefore will be home.lan. If the LAN didn´t fit or if you wish to use another IP or substring you need to modifize the entrys in that example.

  1. At first assign your Raspberry PI a fixed IP via your DHCP server. Otherwiese it might be that the DHCP assign your DNS server a different IP later one and then your new DNS Server will no longer work, which will cause issues and a fully reconfiguration. In this example the Raspberry PI will get the fixed IP 192.168.1.30. If you pick a different adress you need to adjust the example here to fit your needs.
  2.  login into your Raspberry PI (e.g. as user PI or similar)
  3. Now edit the hostfile via
    sudo nano /etc/hosts
    and add the following line (if not already present) 192.168.1.30 raspberry.home.lan raspberryMake sure that you change the IPs, so that they fit your needs! It should be the device and IP from your Raspberry.
  4. run the following command:
    sudo apt-get update
  5. now install bind9 via:
    sudo apt-get install bind9
    Do not miss the "9" here, otherwise you install an older bind!
  6. If you haven´t installed an editor you need to install one for example nano via:
    sudo apt-get install nano
  7. We should now stop bind9 (if running) via:
    sudo service bind9 stop
  8. now change to the bind folder via
    cd /etc/bind
  9. now edit nano db.home.lan via:
    sudo nano db.home.lan
    and copy and past the following into this file
  10. ; BIND data file for local loopback interface
        ; Host-to-IP Address DNS Pointers for home.lan
        ;
        ; Note:
        ; Use semicolons to add comments.
        ; The extra "." at the end of the domain names are important.
        ;
        ; The following parameters set when DNS records will expire, etc.
        ;
        ; Importantly, the serial number must always be iterated upward to prevent
        ; undesirable consequences. A good format to use is YYYYMMDDII where
        ; the II index is in case you make more that one change in the same day.
    
    $TTL    604800
    
    home.lan. IN SOA raspberry.home.lan. hostmaster.home.lan. (
            2013120101 ; serial
            8H ; refresh
            4H ; retry
            4W ; expire
            1D ; minimum / Negative Cache TTL
     )
    
    ; NS indicates that raspberry is the name server on home.lan
    home.lan. IN NS raspberry.home.lan.
    
    ; MX indicates that raspberry is (also) the mail server on home.lan (uncomment if you need that)
    ;home.lan. IN MX 10 raspberry.home.lan.
    
    home.lan. IN A 192.168.1.30
    ;@ IN A 127.0.0.1
    ;@ IN AAAA ::1
    
    ; Set the address for localhost.home.lan
    localhost IN A 127.0.0.1
    
    ; Set the hostnames in alphabetical order
    raspberry IN A 192.168.1.30
    router IN A 192.168.1.1
    Make sure you do not have spaces before the hostnames! Otherwiese you might get the error message "no current owner name" later one.Also make sure that you change the IPs, so that they fit your needs! Save and close the file.
  11. The next step would be to create a reverse DNS zone file via:
    sudo nano db.rev.1.168.192.in-addr.arpa
    Make sure that you change the IP in the string above, so that they fit your needs!
  12. Past the following into the file:
    ; BIND reverse data file for local loopback interface
    ;
    ; IP Address-to-Host DNS Pointers for the 192.168.1 subnet
    ;
        ; Note:
        ; Use semicolons to add comments.
        ; The extra "." at the end of the domain names are important.
        ;
        ; The following parameters set when DNS records will expire, etc.
        ;
        ; Importantly, the serial number must always be iterated upward to prevent
        ; undesirable consequences. A good format to use is YYYYMMDDII where
        ; the II index is in case you make more that one change in the same day.
    ;
    $TTL    604800
    @ IN SOA raspberry.home.lan. hostmaster.home.lan. (
            2013120101 ; serial
            8H ; refresh
            4H ; retry
            4W ; expire
            1D ; minimum
    )
    ;
    ; define the authoritative name server
              IN NS raspberry.
    ; our hosts, in numeric order
    1         IN PTR router.home.lan.
    30        IN PTR raspberry.home.lan.
  13. now we need to edit the config via
    sudo nano named.conf.options
    and remove the coments in the forwarder section, so that it will look like the following (do not change other parts in the file)
    forwarders {
        8.8.8.8;
        8.8.4.4;
        2001:4860:4860::8888;
        2001:4860:4860::8844;
        };
    This is the IP adress which will be used by our DNS server we just installed if he do not know the IP adress for the given DNS entry. The IP adress above is the one from Google DNS, the first two are ipv4 adressed the other one are the ipv6 adresses. You can also use the one you already got from your ISP or can use openDNS, thats up to you.
  14. now we need to add the home.lan zone to our DNS config via:
    sudo nano named.conf.local
    and copy the following at the end from the file
  15. # Our forward zone
    zone "home.lan" IN {
            type master;
            file "/etc/bind/db.home.lan";
        };
    
    # Our reverse Zone 
    # Server IP 192.168.1.30
        zone "1.168.192.in-addr.arpa" {
            type master;
            file "/etc/bind/db.rev.1.168.192.in-addr.arpa";
        };
    Change the IPs here so that it fits your environment!
  16. If everything is correctly we could start bind9 via:
    sudo service bind9 start
    If you see an ok similar like OK then you can go over to the next steps.
    pi@raspberrypi /etc/bind $ sudo service bind9 start
    [ ok ] Starting domain name service...: bind9.
    
  17. Before we now start adding our Domains which we will block we need to check our configuration. We will then check the forward zone via:
    named-checkzone home.lan /etc/bind/db.home.lan
    If that works and you got an similar output as below:
    zone home.lan/IN: loaded serial 2013120101
    OK
    
    we can now check the reverse zone via:
    named-checkzone home.lan /etc/bind/db.rev.1.168.192.in-addr.arpa
    If we added our new DNS server to our windows pc we could also try to ping the device by its new dns name via:
    ping raspberry.home.lan
    If you do not get an error here we can go over to the domain block part.
  18. now we need to
    sudo nano named.conf
    and must include the following line:
    include "/etc/bind/named.conf.blocked";
    save and close the file.
  19. Now we can add the domains we wish to block. To do that we edit the file mentioned above via:
    sudo nano named.conf.blocked
    here is an example you could use:
    zone "contoso.com" {type master; file "/etc/bind/db.blocked";};
    Please note that if you have duplicated entry´s here, this will cause issues with your DNS service!
  20. Now we need to build another bind file which is used by the blocked domains above via
    sudo nano db.blocked
    copy and past the following into the file
    ; BIND db file for ad servers - point all addresses to localhost
    $TTL    86400   ; one day
    @       IN      SOA     raspberry.home.lan. hostmaster.home.lan. (
                                2013120901       ; serial number YYMMDDNN
                                28800   ; refresh  8 hours
                                7200    ; retry    2 hours
                                864000  ; expire  10 days
                                86400 ) ; min ttl  1 day
      NS raspberry.home.lan.
      A 127.0.0.1
    * IN      A       127.0.0.1
    Save and close the file.
  21. Now restart your bind9 via:
    sudo service bind9 restart
  22. If you do not get an error message here, then you could do an final test via:
    named-checkzone contoso.com /etc/bind/db.blocked
    That should output something like:
    zone contoso.com/IN: loaded serial 2013120901
    OK
    
    If you now ping contoso.com from your windows pc via
    ping contoso.com
    it should response with an 127.0.0.1 IP address.
  23. You can reconfigure your local LAN now to use the IP adress from your raspberry
  24. Note that, if you use google DNS or OpenDNS you might get a bad performance on websites (and software which interact with the web e.g. a Videostreaming software or a software which handle downloads like iTunes with MP3s) which use CDN (Content Delivery Networks) like Youtube or Apple. To solve that you should forward the DNS requests for the CDN to your ISPs DNS. This can be done quite easy. Just edit the config again via
    sudo nano named.conf.loca
    and add the following (A.B.C.D is the IP adress from your ISP you MUST change that!)
    zone "akamai.net" {
      type forward;
      forward first;
      forwarders {
        a.b.c.d;
        a.b.c.f;
      };
    };
    save the file and restart bind9 via
    sudo service bind9 restart
    for other CDN you need to do the same. The reason for this is, that google DNS or OpenDNS do not point to the nearest server which is offered by the CDN for you. But the DNS from your ISP does it.

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest.
Attachments (0 / 3)
Share Your Location