Re: Custom DNS Filtering Plugin in BIND 9

[Ondřej Surý]

Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to add the classification to the message processing and then the RPZ processing could read the classification and take an action? But that’s quite a huge chunk of work. As I said, there was an attempt to rewrite dns64 as a plugin: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/968/diffs It is outdated, but it does synthesize DNS messages on the fly, so it might be a good starting point. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 19. 3. 2025, at 21:40, Mónika Kiss <kozmamonik...@gmail.com> wrote:  Hello, Thank you for your response. I have a domain categorization program written in C that dynamically determines the risk level of a queried domain. I need to integrate this categorization logic into a BIND 9 plugin that: Calls the categorization function to analyze each incoming DNS query. Modifies the DNS response based on the categorization result: If the domain is categorized as high risk, return a custom IP address (e.g., 192.168.1.100) instead of resolving the query.  Otherwise, allow the query to proceed to the upstream DNS resolver as usual. I think I can't do this with the RPZ. Best regards, Monika On Wed, Mar 19, 2025 at 4:19 PM Michael De Roover <i...@nixmagic.com> wrote: On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote: > Maybe I'm not understanding all the nuances of the stated goal but doesn't > RPZ handle this? Was my first thought as well, works fine for me. In named.conf: options {     // RPZ zone     // Source: https://deteque.com/m3aawg-bind-training/named.conf     response-policy {         zone "rpz.local";     }; }; // Response Policy Zone zone "rpz.local" {     type primary;     file "/path/to/rpz.local.db"; }; ---- In rpz.local.db: $TTL 300 @       IN      SOA     localhost. admin.localhost. (                         1       ; Serial number                         60      ; Refresh every minute                         60      ; Retry every minute                         43200   ; Expire in 5 days                         60 )    ; Negative cache TTL 1 minute         IN      NS      LOCALHOST. ; Examples example.net                     IN      CNAME   localhost. ---- Note that the public domain name records to be redirected via RPZ cannot have a trailing dot. -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users