Using bind and ad blocking

2016-01-23 Thread Olliver Schinagl 

Hi list,

recently I updated to bind-9.10 and noticed that an illegal setup was 
finally disallowed. Good things, but I (and others I'm sure) kind of 
miss-used this ability. With the change however, I am now looking for 
help on restoring similar behavior. Let me explain.


As we all know, ads are everywhere and can be quite troublesome. Because 
of this I block many known adservers internally via bind. To obtain this 
list of adservers, I use http://pgl.yoyo.org/adservers/ which generates 
a file with the following syntax: zone "example.com" { type master; 
notify no; file "pri/null.zone"; }; The Null zone looks as follows:


; BIND db file for ad servers - point all addresses to an invalid IP
$TTL864000  ; ten days

@   IN  SOA ns0.example.net. hostmaster.example.net. (
2008032800   ; serial number YYMMDDNN
288000   ; refresh  80 hours
72000; retry20 hours
864  ; expire  100 days
864000 ) ; min ttl  10 day
NS  ns0.example.net.

A   0.0.0.0

*   IN  A   0.0.0.0

Obviously with this and the many (generated) zones having 1 dummy zone 
sounds reasonable logically.


These adservers are included in my 'internal' view as such:

view "internal" {
match-clients { internal; trusted; };
recursion yes;

include "/etc/bind/dlz_internal.conf";

#   include "/etc/bind/adservers.conf";
};

Adservers.conf being commented here as bind now fails on this.

My question is, what is a good method to do this with the latest bind. I 
tried to find some way to disable updates or mark the view/include as 
'read-only' but have not found this out as of yet.


Any tips and tricks appreciated!

Olliver
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using bind and ad blocking

2016-01-23 Thread Mark Andrews 

In message <56a3e6c7.5020...@schinagl.nl>, Olliver Schinagl writes:
> Hi list,
> 
> recently I updated to bind-9.10 and noticed that an illegal setup was 
> finally disallowed. Good things, but I (and others I'm sure) kind of 
> miss-used this ability. With the change however, I am now looking for 
> help on restoring similar behavior. Let me explain.
> 
> As we all know, ads are everywhere and can be quite troublesome. Because 
> of this I block many known adservers internally via bind. To obtain this 
> list of adservers, I use http://pgl.yoyo.org/adservers/ which generates 
> a file with the following syntax: zone "example.com" { type master; 
> notify no; file "pri/null.zone"; }; The Null zone looks as follows:
>
> ; BIND db file for ad servers - point all addresses to an invalid IP
> $TTL864000  ; ten days
> 
> @   IN  SOA ns0.example.net. hostmaster.example.net. (
>  2008032800   ; serial number YYMMDDNN
>  288000   ; refresh  80 hours
>  72000; retry20 hours
>  864  ; expire  100 days
>  864000 ) ; min ttl  10 day
>  NS  ns0.example.net.
> 
>  A   0.0.0.0
> 
> *   IN  A   0.0.0.0
> 
> Obviously with this and the many (generated) zones having 1 dummy zone 
> sounds reasonable logically.
> 
> These adservers are included in my 'internal' view as such:
> 
> view "internal" {
>  match-clients { internal; trusted; };
>  recursion yes;
> 
>  include "/etc/bind/dlz_internal.conf";
> 
> #   include "/etc/bind/adservers.conf";
> };
> 
> Adservers.conf being commented here as bind now fails on this.
> 
> My question is, what is a good method to do this with the latest bind. I 
> tried to find some way to disable updates or mark the view/include as 
> 'read-only' but have not found this out as of yet.
> 
> Any tips and tricks appreciated!
> 
> Olliver
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Presumably you have a zone which which has pri/null.zone as a slave
or you have a global/view level dynamic updating of all master zones
turned on as just sharing a read-only master zone is still permitted.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users