-
Notifications
You must be signed in to change notification settings - Fork 2
mrmuth/SafeDNS
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
SafeDNS
=======
Penn SafeDNS
Description
===========
SafeDNS is a blackhole DNS service. It protects subscribed computers from
malicious domains by responding with its own IP address when it receives
DNS requests for those domains. It is configured to forward any other DNS
request to a recursive resolver. Thus, this service augments existing DNS
services rather than replacing them.
Features
========
o It uses ISC BIND Dynamically-Loadable Zones with MySQL to serve a large
number of domains (e.g. 300,000) without noticeable downtime.
o It logs very little, in order to minimize privacy concerns - essentially,
logging indicates only *that* a particular client is using the service, not
anything about the queries it makes.
o It includes Apache, which is configured to respond to all requests with
a landing page explaining that a malicious domain has been blocked.
o It includes sanity checking of malicious domain lists, as well as
customizable whitelists and blacklists.
o It includes details necessary to configure both a primary and secondary
server, with instructions for doing failover during maintenance windows.
Installation
============
Start with the INSTALL file, which contains high-level instructions. At
the appropriate point, it will refer to the INSTALL.BIND file, which contains
detailed instructions for configuring BIND and the malicious domain updates.
For gory details of the original installation of the service see
docs/install-notes.txt. While some details of this distribution have changed
since that installation, it does show some of the commands that could be
used to carry out the instructions in the INSTALL file.
Reports of any errors would be appreciated, as would constructive suggestions
and contributions.
UNIX-like systems:
Some elements of this release are specific to Ubuntu (10.04 LTS), but
the intention is to allow for use on arbitrary UNIX-like systems. Pathnames,
network configuration, and startup configuration are the most OS-specific, but
the BIND configuration, scripts, and documentation should be relatively
OS-independent.
Ubuntu 12.02
A member of the user community kindly reported that if you wish to install BIND
from a Debian package (as opposed to building the current ISC BIND version from
source) do the following instead of steps 1 and 2 in INSTALL.BIND:
1. Do 'apt-get source bind9',
2. Add the DLZ options to 'bind9-9.8.1.dfsg.P1/debian/rules'
3. Remove the #ifdef and #endif lines from
bind9-9.8.1.dfsg.P1/contrib/dlz/drivers/sdlz_helper.c
q.v. http://www.mail-archive.com/bind-users@lists.isc.org/msg11047.html
4. Compile packages with 'dpkg-buildpackage -rfakeroot -b'
Red Hat Enterprise Linux 6 (RHEL6):
A member of the user community kindly reported that if you install the
bind-sbd package from the optional channel, you can use the BIND
distribution that ships with the OS - no compilation of BIND is
needed.
However, if used with MySQL, BIND will have to be run single-threaded.
In /etc/init.d/named, add '-n 1' to the named invocation to avoid a crash
when more than one request is received at a time, e.g.
daemon --pidfile "$ROOTDIR/$PIDFILE" /usr/sbin/"$named" -u named \
-n 1 ${OPTIONS};
Acknowledgements
================
Many thanks to drmoocow on ubuntuforums.org for describing how to configure
BIND to use DLZ with MySQL (http://ubuntuforums.org/showthread.php?t=823578).
Thanks also to Hannes Schmidt for describing how to fix the BIND error:
"Required token $zone$ not found."
(http://diaryproducts.net/about/operating_systems/unix/installing_bind9_with_dlz_and_mysql_backend_on_ubuntu_jaunty_9_04)
Melissa Muth
University of Pennsylvania
muthm@isc.upenn.edu
About
Penn SafeDNS
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published