Monday, October 3, 2022

Setup a DNS blocking environment on Raspberry Pi

If you wish to implement a own DNS blacklist (e.g. because you wish to import one from the lists you found), then this could be build for some users (not a big company) based on an Raspberry PI. Setting them up required only 15 minutes.

In that example I expect that your LAN is 192.168.1.* and the DNS substing herefore will be home.lan. If the LAN didn´t fit or if you wish to use another IP or substring you need to modifize the entrys in that example.

  1. At first assign your Raspberry PI a fixed IP via your DHCP server. Otherwiese it might be that the DHCP assign your DNS server a different IP later one and then your new DNS Server will no longer work, which will cause issues and a fully reconfiguration. In this example the Raspberry PI will get the fixed IP 192.168.1.30. If you pick a different adress you need to adjust the example here to fit your needs.
  2.  login into your Raspberry PI (e.g. as user PI or similar)
  3. Now edit the hostfile via
    sudo nano /etc/hosts

    and add the following line (if not already present) 192.168.1.30 raspberry.home.lan raspberryMake sure that you change the IPs, so that they fit your needs! It should be the device and IP from your Raspberry.

  4. run the following command:
    sudo apt-get update
  5. now install bind9 via:
    sudo apt-get install bind9

    Do not miss the “9” here, otherwise you install an older bind!

  6. If you haven´t installed an editor you need to install one for example nano via:
    sudo apt-get install nano
  7. We should now stop bind9 (if running) via:
    sudo service bind9 stop
  8. now change to the bind folder via
    cd /etc/bind
  9. now edit nano db.home.lan via:
    sudo nano db.home.lan

    and copy and past the following into this file

  10. ; BIND data file for local loopback interface
        ; Host-to-IP Address DNS Pointers for home.lan
        ;
        ; Note:
        ; Use semicolons to add comments.
        ; The extra "." at the end of the domain names are important.
        ;
        ; The following parameters set when DNS records will expire, etc.
        ;
        ; Importantly, the serial number must always be iterated upward to prevent
        ; undesirable consequences. A good format to use is YYYYMMDDII where
        ; the II index is in case you make more that one change in the same day.
    
    $TTL    604800
    
    home.lan. IN SOA raspberry.home.lan. hostmaster.home.lan. (
            2013120101 ; serial
            8H ; refresh
            4H ; retry
            4W ; expire
            1D ; minimum / Negative Cache TTL
     )
    
    ; NS indicates that raspberry is the name server on home.lan
    home.lan. IN NS raspberry.home.lan.
    
    ; MX indicates that raspberry is (also) the mail server on home.lan (uncomment if you need that)
    ;home.lan. IN MX 10 raspberry.home.lan.
    
    home.lan. IN A 192.168.1.30
    ;@ IN A 127.0.0.1
    ;@ IN AAAA ::1
    
    ; Set the address for localhost.home.lan
    localhost IN A 127.0.0.1
    
    ; Set the hostnames in alphabetical order
    raspberry IN A 192.168.1.30
    router IN A 192.168.1.1

    Make sure you do not have spaces before the hostnames! Otherwiese you might get the error message “no current owner name” later one.Also make sure that you change the IPs, so that they fit your needs! Save and close the file.

  11. The next step would be to create a reverse DNS zone file via:
    sudo nano db.rev.1.168.192.in-addr.arpa

    Make sure that you change the IP in the string above, so that they fit your needs!

  12. Past the following into the file:
    ; BIND reverse data file for local loopback interface
    ;
    ; IP Address-to-Host DNS Pointers for the 192.168.1 subnet
    ;
        ; Note:
        ; Use semicolons to add comments.
        ; The extra "." at the end of the domain names are important.
        ;
        ; The following parameters set when DNS records will expire, etc.
        ;
        ; Importantly, the serial number must always be iterated upward to prevent
        ; undesirable consequences. A good format to use is YYYYMMDDII where
        ; the II index is in case you make more that one change in the same day.
    ;
    $TTL    604800
    @ IN SOA raspberry.home.lan. hostmaster.home.lan. (
            2013120101 ; serial
            8H ; refresh
            4H ; retry
            4W ; expire
            1D ; minimum
    )
    ;
    ; define the authoritative name server
              IN NS raspberry.
    ; our hosts, in numeric order
    1         IN PTR router.home.lan.
    30        IN PTR raspberry.home.lan.
  13. now we need to edit the config via
    sudo nano named.conf.options

    and remove the coments in the forwarder section, so that it will look like the following (do not change other parts in the file)

    forwarders {
        8.8.8.8;
        8.8.4.4;
        2001:4860:4860::8888;
        2001:4860:4860::8844;
        };

    This is the IP adress which will be used by our DNS server we just installed if he do not know the IP adress for the given DNS entry. The IP adress above is the one from Google DNS, the first two are ipv4 adressed the other one are the ipv6 adresses. You can also use the one you already got from your ISP or can use openDNS, thats up to you.

  14. now we need to add the home.lan zone to our DNS config via:
    sudo nano named.conf.local

    and copy the following at the end from the file

  15. # Our forward zone
    zone "home.lan" IN {
            type master;
            file "/etc/bind/db.home.lan";
        };
    
    # Our reverse Zone 
    # Server IP 192.168.1.30
        zone "1.168.192.in-addr.arpa" {
            type master;
            file "/etc/bind/db.rev.1.168.192.in-addr.arpa";
        };

    Change the IPs here so that it fits your environment!

  16. If everything is correctly we could start bind9 via:
    sudo service bind9 start

    If you see an ok similar like OK then you can go over to the next steps.

    pi@raspberrypi /etc/bind $ sudo service bind9 start
    [ ok ] Starting domain name service...: bind9.
    
  17. Before we now start adding our Domains which we will block we need to check our configuration. We will then check the forward zone via:
    named-checkzone home.lan /etc/bind/db.home.lan

    If that works and you got an similar output as below:

    zone home.lan/IN: loaded serial 2013120101
    OK
    

    we can now check the reverse zone via:

    named-checkzone home.lan /etc/bind/db.rev.1.168.192.in-addr.arpa

    If we added our new DNS server to our windows pc we could also try to ping the device by its new dns name via:

    ping raspberry.home.lan

    If you do not get an error here we can go over to the domain block part.

  18. now we need to
    sudo nano named.conf

    and must include the following line:

    include "/etc/bind/named.conf.blocked";

    save and close the file.

  19. Now we can add the domains we wish to block. To do that we edit the file mentioned above via:
    sudo nano named.conf.blocked

    here is an example you could use:

    zone "contoso.com" {type master; file "/etc/bind/db.blocked";};

    Please note that if you have duplicated entry´s here, this will cause issues with your DNS service!

  20. Now we need to build another bind file which is used by the blocked domains above via
    sudo nano db.blocked

    copy and past the following into the file

    ; BIND db file for ad servers - point all addresses to localhost
    $TTL    86400   ; one day
    @       IN      SOA     raspberry.home.lan. hostmaster.home.lan. (
                                2013120901       ; serial number YYMMDDNN
                                28800   ; refresh  8 hours
                                7200    ; retry    2 hours
                                864000  ; expire  10 days
                                86400 ) ; min ttl  1 day
      NS raspberry.home.lan.
      A 127.0.0.1
    * IN      A       127.0.0.1

    Save and close the file.

  21. Now restart your bind9 via:
    sudo service bind9 restart
  22. If you do not get an error message here, then you could do an final test via:
    named-checkzone contoso.com /etc/bind/db.blocked

    That should output something like:

    zone contoso.com/IN: loaded serial 2013120901
    OK
    

    If you now ping contoso.com from your windows pc via

    ping contoso.com

    it should response with an 127.0.0.1 IP address.

  23. You can reconfigure your local LAN now to use the IP adress from your raspberry
  24. Note that, if you use google DNS or OpenDNS you might get a bad performance on websites (and software which interact with the web e.g. a Videostreaming software or a software which handle downloads like iTunes with MP3s) which use CDN (Content Delivery Networks) like Youtube or Apple. To solve that you should forward the DNS requests for the CDN to your ISPs DNS. This can be done quite easy. Just edit the config again via
    sudo nano named.conf.loca

    and add the following (A.B.C.D is the IP adress from your ISP you MUST change that!)

    zone "akamai.net" {
      type forward;
      forward first;
      forwarders {
        a.b.c.d;
        a.b.c.f;
      };
    };

    save the file and restart bind9 via

    sudo service bind9 restart

    for other CDN you need to do the same. The reason for this is, that google DNS or OpenDNS do not point to the nearest server which is offered by the CDN for you. But the DNS from your ISP does it.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

24FollowersFollow
- Advertisement -

Latest Articles