Skip to content

p7cq/dns-bl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
bin
bin
 
 
conf
conf
 
 
lib
lib
 
 
var/db
var/db
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 

Repository files navigation

dns-bl - DNS Response Policy Zone file generator

A standalone Python + BASH scripts that creates a DNS Response Policy Zone (RPZ) file for ISC's BIND DNS server using various block lists as source. Works with Shalla with other sources presenting block lists either in domain

host1.example.org
host2.example.org
...

or in hosts file form

127.0.0.1 host3.example.org
0.0.0.0 host4.example.org
...

Note that prior configuration of the DNS server is needed before making use of this script. Also, you may need some additional scripts for automating updates and performing zone reload checks along with some sort of notification system in case zone reload fails.

Installation

Clone repository and move dns-bl folder in a location on your system, e.g. /opt. The resulting location will be the program's home directory - DNSBL_HOME.

Configuration

Initial configuration is performed in two places: the RPZ zone file header and program's configuration file. Subsequent configuration should only be made in the configuration file.

RPZ zone file header

Edit zone header file in DNSBL_HOME/var/db/zone_header.db according to your DNS server configuration. Leave the * character in place in order for the script to update the serial number.

Configuration file: RPZ file location

Open the configuration file located at DNSBL_HOME/conf/dns-bl.ini and edit rpz_file parameter to point to the server's configured RPZ file location, e.g.:

[global]
rpz_file = /var/named/rpz.db
...
Configuration file: whitelists

For any domain you want excluded from RPZ, add each on a line in a text file having the prefix whitelist_ in its name, e.g. whitelist_default:

host5.example.org
host6.example.org

You can leave the redirect and add_subdomains options unchanged.

Configuration file: source sections

Add each source in its own section, following the example found in dns-bl.ini file. The section name must be unique. Example:

[source/1]
url = https://source1.example.org/lists/lists.tar.gz
file_type = gzip
categories = category1,category2/subcategory1,category3
enabled = yes

[source/2]
url = https://source1.example.org/lists/malware.txt
file_type = text
categories = malware
enabled = yes

[source/3]
url = https://source3.example.org/lists/ads.txt
file_type = text
categories = ads
enabled = yes

Listing multiple categories is only needed for Shalla, due to the specific structure the lists are delivered in. Each category or subcategory follows the directory layout as extracted in the filesystem. Do take a look at this structure before deciding which categories to include. If you need all categories, list each directory and subdirectory in the archive, as in [source/1] above.

Running

Run the BASH script as the root user:

# $DNSBL_HOME/bin/run.sh

The generated rpz.db file will have the same owner and group as its parent directory.

About

DNS Response Policy Zone file generator

Topics

dns blocklist bind dns-server bind9 blocklists rpz dns-firewall response-policy-zone

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages