Michael, you can hardly create a static list from all of the domains that can possibly exists.
I do understand the usefulness of dynamic classification. There’s just not a straightforward interface for it now. Somebody will have to invest into writing this :shrug: Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 19. 3. 2025, at 21:51, Michael De Roover <i...@nixmagic.com> wrote: > > On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote: >> Hello, >> >> Thank you for your response. >> >> I have a domain categorization program written in C that dynamically >> determines the risk level of a queried domain. >> I need to integrate this categorization logic into a BIND 9 plugin that: >> >> - Calls the categorization function to analyze each incoming DNS query. >> - Modifies the DNS response based on the categorization result: >> - If the domain is categorized as high risk, return a custom IP >> address (e.g., 192.168.1.100) instead of resolving the query. >> - Otherwise, allow the query to proceed to the upstream DNS resolver >> as usual. >> - >> >> I think I can't do this with the RPZ. >> >> Best regards, >> Monika > > Hi Monika, > > If it's output from a program, you'll probably want the zone to dynamically > respond to updates yes... There are two ways I could think of going about > this. > > The first one is using static zone files, and having your program build zone > files as needed, then pushing them into the server and restarting BIND. This > is > how I do it for my zones, albeit not very real-time at all. I guess it could > work if the updates are done only a few times a day. > > The second one is to use RPZ alongside dynamic DNS updates. I haven't done > that in my networks, you'll have to look that up or ask someone else. But with > that, I could imagine that it would allow your program to very quickly push > new records based on its findings. > > That said though, where is this program running? For DNS monitoring, a good > vantage point would be the DNS server itself running tcpdump and/or Wireshark > on port 53 (both TCP and UDP). Meanwhile for traffic in general, the gateway > or > a forward proxy server may be able to give better results (but encrypted > traffic > would be a pain to deal with). > > -- > Met vriendelijke groet, > Michael De Roover > > Mail: i...@nixmagic.com > Web: michael.de.roover.eu.org > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
