If you wish to implement a own DNS blacklist (e.g. because you wish to import one from the lists you found), then this could be build for some users (not a big company) based on an Raspberry PI. Setting them up required only 15 minutes.
In that example I expect that your LAN is 192.168.1.* and the DNS substing herefore will be home.lan. If the LAN didn´t fit or if you wish to use another IP or substring you need to modifize the entrys in that example.
- At first assign your Raspberry PI a fixed IP via your DHCP server. Otherwiese it might be that the DHCP assign your DNS server a different IP later one and then your new DNS Server will no longer work, which will cause issues and a fully reconfiguration. In this example the Raspberry PI will get the fixed IP 192.168.1.30. If you pick a different adress you need to adjust the example here to fit your needs.
- Â login into your Raspberry PI (e.g. as user PI or similar)
- Now edit the hostfile via
sudo nano /etc/hosts
and add the following line (if not already present) 192.168.1.30 raspberry.home.lan raspberryMake sure that you change the IPs, so that they fit your needs! It should be the device and IP from your Raspberry.
- run the following command:
sudo apt-get update
- now install bind9 via:
sudo apt-get install bind9
Do not miss the “9” here, otherwise you install an older bind!
- If you haven´t installed an editor you need to install one for example nano via:
sudo apt-get install nano
- We should now stop bind9 (if running) via:
sudo service bind9 stop
- now change to the bind folder via
cd /etc/bind
- now edit nano db.home.lan via:
sudo nano db.home.lan
and copy and past the following into this file
-
; BIND data file for local loopback interface ; Host-to-IP Address DNS Pointers for home.lan ; ; Note: ; Use semicolons to add comments. ; The extra "." at the end of the domain names are important. ; ; The following parameters set when DNS records will expire, etc. ; ; Importantly, the serial number must always be iterated upward to prevent ; undesirable consequences. A good format to use is YYYYMMDDII where ; the II index is in case you make more that one change in the same day. $TTL 604800 home.lan. IN SOA raspberry.home.lan. hostmaster.home.lan. ( 2013120101 ; serial 8H ; refresh 4H ; retry 4W ; expire 1D ; minimum / Negative Cache TTL ) ; NS indicates that raspberry is the name server on home.lan home.lan. IN NS raspberry.home.lan. ; MX indicates that raspberry is (also) the mail server on home.lan (uncomment if you need that) ;home.lan. IN MX 10 raspberry.home.lan. home.lan. IN A 192.168.1.30 ;@ IN A 127.0.0.1 ;@ IN AAAA ::1 ; Set the address for localhost.home.lan localhost IN A 127.0.0.1 ; Set the hostnames in alphabetical order raspberry IN A 192.168.1.30 router IN A 192.168.1.1
Make sure you do not have spaces before the hostnames! Otherwiese you might get the error message “no current owner name” later one.Also make sure that you change the IPs, so that they fit your needs! Save and close the file.
- The next step would be to create a reverse DNS zone file via:
sudo nano db.rev.1.168.192.in-addr.arpa
Make sure that you change the IP in the string above, so that they fit your needs!
- Past the following into the file:
; BIND reverse data file for local loopback interface ; ; IP Address-to-Host DNS Pointers for the 192.168.1 subnet ; ; Note: ; Use semicolons to add comments. ; The extra "." at the end of the domain names are important. ; ; The following parameters set when DNS records will expire, etc. ; ; Importantly, the serial number must always be iterated upward to prevent ; undesirable consequences. A good format to use is YYYYMMDDII where ; the II index is in case you make more that one change in the same day. ; $TTL 604800 @ IN SOA raspberry.home.lan. hostmaster.home.lan. ( 2013120101 ; serial 8H ; refresh 4H ; retry 4W ; expire 1D ; minimum ) ; ; define the authoritative name server IN NS raspberry. ; our hosts, in numeric order 1 IN PTR router.home.lan. 30 IN PTR raspberry.home.lan.
- now we need to edit the config via
sudo nano named.conf.options
and remove the coments in the forwarder section, so that it will look like the following (do not change other parts in the file)
forwarders { 8.8.8.8; 8.8.4.4; 2001:4860:4860::8888; 2001:4860:4860::8844; };
This is the IP adress which will be used by our DNS server we just installed if he do not know the IP adress for the given DNS entry. The IP adress above is the one from Google DNS, the first two are ipv4 adressed the other one are the ipv6 adresses. You can also use the one you already got from your ISP or can use openDNS, thats up to you.
- now we need to add the home.lan zone to our DNS config via:
sudo nano named.conf.local
and copy the following at the end from the file
-
# Our forward zone zone "home.lan" IN { type master; file "/etc/bind/db.home.lan"; }; # Our reverse Zone # Server IP 192.168.1.30 zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.rev.1.168.192.in-addr.arpa"; };
Change the IPs here so that it fits your environment!
- If everything is correctly we could start bind9 via:
sudo service bind9 start
If you see an ok similar like OK then you can go over to the next steps.
pi@raspberrypi /etc/bind $ sudo service bind9 start [ ok ] Starting domain name service...: bind9.
- Before we now start adding our Domains which we will block we need to check our configuration. We will then check the forward zone via:
named-checkzone home.lan /etc/bind/db.home.lan
If that works and you got an similar output as below:
zone home.lan/IN: loaded serial 2013120101 OK
we can now check the reverse zone via:
named-checkzone home.lan /etc/bind/db.rev.1.168.192.in-addr.arpa
If we added our new DNS server to our windows pc we could also try to ping the device by its new dns name via:
ping raspberry.home.lan
If you do not get an error here we can go over to the domain block part.
- now we need to
sudo nano named.conf
and must include the following line:
include "/etc/bind/named.conf.blocked";
save and close the file.
- Now we can add the domains we wish to block. To do that we edit the file mentioned above via:
sudo nano named.conf.blocked
here is an example you could use:
zone "contoso.com" {type master; file "/etc/bind/db.blocked";};
Please note that if you have duplicated entry´s here, this will cause issues with your DNS service!
- Now we need to build another bind file which is used by the blocked domains above via
sudo nano db.blocked
copy and past the following into the file
; BIND db file for ad servers - point all addresses to localhost $TTL 86400 ; one day @ IN SOA raspberry.home.lan. hostmaster.home.lan. ( 2013120901 ; serial number YYMMDDNN 28800 ; refresh 8 hours 7200 ; retry 2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day NS raspberry.home.lan. A 127.0.0.1 * IN A 127.0.0.1
Save and close the file.
- Now restart your bind9 via:
sudo service bind9 restart
- If you do not get an error message here, then you could do an final test via:
named-checkzone contoso.com /etc/bind/db.blocked
That should output something like:
zone contoso.com/IN: loaded serial 2013120901 OK
If you now ping contoso.com from your windows pc via
ping contoso.com
it should response with an 127.0.0.1 IP address.
- You can reconfigure your local LAN now to use the IP adress from your raspberry
- Note that, if you use google DNS or OpenDNS you might get a bad performance on websites (and software which interact with the web e.g. a Videostreaming software or a software which handle downloads like iTunes with MP3s) which use CDN (Content Delivery Networks) like Youtube or Apple. To solve that you should forward the DNS requests for the CDN to your ISPs DNS. This can be done quite easy. Just edit the config again via
sudo nano named.conf.loca
and add the following (A.B.C.D is the IP adress from your ISP you MUST change that!)
zone "akamai.net" { type forward; forward first; forwarders { a.b.c.d; a.b.c.f; }; };
save the file and restart bind9 via
sudo service bind9 restart
for other CDN you need to do the same. The reason for this is, that google DNS or OpenDNS do not point to the nearest server which is offered by the CDN for you. But the DNS from your ISP does it.