Penn SafeDNS
Perl Shell Erlang
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



Penn SafeDNS 


SafeDNS is a blackhole DNS service. It protects subscribed computers from 
malicious domains by responding with its own IP address when it receives
DNS requests for those domains. It is configured to forward any other DNS 
request to a recursive resolver. Thus, this service augments existing DNS
services rather than replacing them.  


o It uses ISC BIND Dynamically-Loadable Zones with MySQL to serve a large 
number of domains (e.g. 300,000) without noticeable downtime. 
o It logs very little, in order to minimize privacy concerns - essentially,
logging indicates only *that* a particular client is using the service, not
anything about the queries it makes.
o It includes Apache, which is configured to respond to all requests with
a landing page explaining that a malicious domain has been blocked.
o It includes sanity checking of malicious domain lists, as well as 
customizable whitelists and blacklists.
o It includes details necessary to configure both a primary and secondary
server, with instructions for doing failover during maintenance windows.


Start with the INSTALL file, which contains high-level instructions. At
the appropriate point, it will refer to the INSTALL.BIND file, which contains
detailed instructions for configuring BIND and the malicious domain updates.

For gory details of the original installation of the service see 
docs/install-notes.txt. While some details of this distribution have changed 
since that installation, it does show some of the commands that could be 
used to carry out the instructions in the INSTALL file.

Reports of any errors would be appreciated, as would constructive suggestions 
and contributions.

UNIX-like systems:

Some elements of this release are specific to Ubuntu (10.04 LTS), but 
the intention is to allow for use on arbitrary UNIX-like systems. Pathnames,
network configuration, and startup configuration are the most OS-specific, but
the BIND configuration, scripts, and documentation should be relatively

Ubuntu 12.02

A member of the user community kindly reported that if you wish to install BIND 
from a Debian package (as opposed to building the current ISC BIND version from 
source) do the following instead of steps 1 and 2 in INSTALL.BIND:

 1. Do 'apt-get source bind9', 
 2. Add the DLZ options to 'bind9-9.8.1.dfsg.P1/debian/rules'
 3. Remove the #ifdef and #endif lines from 
 4. Compile packages with 'dpkg-buildpackage -rfakeroot -b' 

Red Hat Enterprise Linux 6 (RHEL6):

A member of the user community kindly reported that if you install the 
bind-sbd package from the optional channel, you can use the BIND 
distribution that ships with the OS - no compilation of BIND is 

However, if used with MySQL, BIND will have to be run single-threaded.
In /etc/init.d/named, add '-n 1' to the named invocation to avoid a crash 
when more than one request is received at a time, e.g.

	daemon --pidfile "$ROOTDIR/$PIDFILE" /usr/sbin/"$named" -u named \
		-n 1 ${OPTIONS};


Many thanks to drmoocow on for describing how to configure 
BIND to use DLZ with MySQL (

Thanks also to Hannes Schmidt for describing how to fix the BIND error:
"Required token $zone$ not found." 

Melissa Muth
University of Pennsylvania