Re: [DNSSEC] when remove KSK from file system

2025-03-19 Thread Matthijs Mekking 
You can set 'purge-keys' to a value you feel comfortable with. By 
default it is set to 90 days, so after 90 days the key is completely 
hidden, it will be removed from disk.


Best regards,

Matthijs

On 19-03-2025 09:29, adrien sipasseuth wrote:

Hello,

I use Bind 9.20.4, with KASP policy to setup DNSSEC on some zone.
When a KSK are "hidden" and present with "rndc dnssec -status ",
i moved it to an archive repository.

But this generate many logs :
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: error: zone bxxx/IN (signed):
zone_rekey:zone_verifykeys failed: some key files are missing
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: info: zone bxxx/IN (signed):
reconfiguring zone keys
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.153 dnssec: debug 1: zone bxxx/IN (signed):
verifykeys: key bxxx/ECDSAP256SHA256/2610 - not available


And this de content state file from this KSK :
; This is the state of key 2610, for bxxx.
Algorithm: 13
Length: 256
Lifetime: 63072000
Successor: 15728
KSK: yes
ZSK: no
Generated: 20240205133815 (Mon Feb  5 14:38:15 2024)
Published: 20240205133815 (Mon Feb  5 14:38:15 2024)
Active: 20240205133815 (Mon Feb  5 14:38:15 2024)
Retired: 20250219143815 (Wed Feb 19 15:38:15 2025)
Removed: 20250220163815 (Thu Feb 20 17:38:15 2025)
DSPublish: 20240911083829 (Wed Sep 11 10:38:29 2024)
DSRemoved: 20250220093816 (Thu Feb 20 10:38:16 2025)
PublishCDS: 20240206144315 (Tue Feb  6 15:43:15 2024)
DSPubCount: 4
DNSKEYChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
KRRSIGChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
DSChange: 20250221113816 (Fri Feb 21 12:38:16 2025)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

So when can i "archive" / remove from file system my expired KSK ?

Regards,
Adrien SIPASSEUTH

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading the Bind Server issue

2025-03-19 Thread Ondřej Surý 
Hi,

I think you basically have couple of options:

1. use ISC provided packages: https://copr.fedorainfracloud.org/coprs/isc/; I 
would strongly recommend this option

2. learn what you are really doing and debug this properly. You haven't 
provided any actionable information.

3. oh, then there's always the third option that's listed in the mailing list 
footer:
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.


Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.



> On 19. 3. 2025, at 20:23, Lowry-Schiller, Dell M CTR (USA) via bind-users 
>  wrote:
> 
> Message: I am following the instructions provided in the knowledge base and I 
> am having issues with the upgrade of my bind server to version 9.20.6 I am 
> currently on version BIND 9.16.23-RH
> 
> I run this command and it works fine   ./configure 
> --prefix=/usr/local/bind-9.9.6 --sysconfdir=/etc --localstatedir=/var 
> --enable-threads --with-openssl
> 
> Then I run the command make this is where I get the error message.
>  Error message: [root@rhel-nbind2 bind-9.20.6]# make
>make: *** No targets specified and no makefile 
> found.  Stop
> I am using this URL: https://kb.isc.org/docs/aa-00648
> 
> I am looking for if anyone can offer some Insite on this issue I am currently 
> experiencing.
> 
> 
> 
> 
> Respectfully,  Dell Lowry-Schiller 
> LAN Manager 
> CSL Comalapa - US Navy 
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Mónika Kiss 
Hello,

Thank you for your response.

I have a domain categorization program written in C that dynamically
determines the risk level of a queried domain.
I need to integrate this categorization logic into a BIND 9 plugin that:

   - Calls the categorization function to analyze each incoming DNS query.
   - Modifies the DNS response based on the categorization result:
  - If the domain is categorized as high risk, return a custom IP
  address (e.g., 192.168.1.100) instead of resolving the query.
  - Otherwise, allow the query to proceed to the upstream DNS resolver
  as usual.
   -

I think I can't do this with the RPZ.

Best regards,
Monika

On Wed, Mar 19, 2025 at 4:19 PM Michael De Roover  wrote:

> On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote:
>
> > Maybe I'm not understanding all the nuances of the stated goal but
> doesn't
>
> > RPZ handle this?
>
> Was my first thought as well, works fine for me.
>
> In named.conf:
>
> options {
>
> // RPZ zone
>
> // Source: https://deteque.com/m3aawg-bind-training/named.conf
>
> response-policy {
>
> zone "rpz.local";
>
> };
>
> };
>
> // Response Policy Zone
>
> zone "rpz.local" {
>
> type primary;
>
> file "/path/to/rpz.local.db";
>
> };
>
> 
>
> In rpz.local.db:
>
> $TTL 300
>
> @   IN  SOA localhost. admin.localhost. (
>
> 1   ; Serial number
>
> 60  ; Refresh every minute
>
> 60  ; Retry every minute
>
> 43200   ; Expire in 5 days
>
> 60 ); Negative cache TTL 1 minute
>
> IN  NS  LOCALHOST.
>
> ; Examples
>
> example.net IN  CNAME   localhost.
>
> 
>
> Note that the public domain name records to be redirected via RPZ cannot
> have a trailing dot.
>
> --
>
> Met vriendelijke groet,
>
> Michael De Roover
>
> Mail: i...@nixmagic.com
>
> Web: michael.de.roover.eu.org
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Bob McDonald 
Maybe I'm not understanding all the nuances of the stated goal but doesn't
RPZ handle this?

Bob

Sent from my Google Pixel 8a phone.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[DNSSEC] when remove KSK from file system

2025-03-19 Thread adrien sipasseuth 
Hello,

I use Bind 9.20.4, with KASP policy to setup DNSSEC on some zone.
When a KSK are "hidden" and present with "rndc dnssec -status ",
i moved it to an archive repository.

But this generate many logs :
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: error: zone bxxx/IN (signed):
zone_rekey:zone_verifykeys failed: some key files are missing
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: info: zone bxxx/IN (signed):
reconfiguring zone keys
mars 19 09:15:46 xxx named[2378461]: 19-Mar-2025
09:15:46.153 dnssec: debug 1: zone bxxx/IN (signed):
verifykeys: key bxxx/ECDSAP256SHA256/2610 - not available


And this de content state file from this KSK :
; This is the state of key 2610, for bxxx.
Algorithm: 13
Length: 256
Lifetime: 63072000
Successor: 15728
KSK: yes
ZSK: no
Generated: 20240205133815 (Mon Feb  5 14:38:15 2024)
Published: 20240205133815 (Mon Feb  5 14:38:15 2024)
Active: 20240205133815 (Mon Feb  5 14:38:15 2024)
Retired: 20250219143815 (Wed Feb 19 15:38:15 2025)
Removed: 20250220163815 (Thu Feb 20 17:38:15 2025)
DSPublish: 20240911083829 (Wed Sep 11 10:38:29 2024)
DSRemoved: 20250220093816 (Thu Feb 20 10:38:16 2025)
PublishCDS: 20240206144315 (Tue Feb  6 15:43:15 2024)
DSPubCount: 4
DNSKEYChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
KRRSIGChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
DSChange: 20250221113816 (Fri Feb 21 12:38:16 2025)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

So when can i "archive" / remove from file system my expired KSK ?

Regards,
Adrien SIPASSEUTH
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Upgrading the Bind Server issue

2025-03-19 Thread Lowry-Schiller, Dell M CTR (USA) via bind-users 
Message: I am following the instructions provided in the knowledge base and I 
am having issues with the upgrade of my bind server to version 9.20.6 I am 
currently on version BIND 9.16.23-RH

I run this command and it works fine   ./configure 
--prefix=/usr/local/bind-9.9.6 --sysconfdir=/etc --localstatedir=/var 
--enable-threads --with-openssl

Then I run the command make this is where I get the error message.
  Error message: [root@rhel-nbind2 bind-9.20.6]# make
make: *** No targets specified and no makefile 
found.  Stop
I am using this URL: https://kb.isc.org/docs/aa-00648

I am looking for if anyone can offer some Insite on this issue I am currently 
experiencing.





Respectfully,



Dell Lowry-Schiller

LAN Manager

CSL Comalapa - US Navy



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Michael De Roover 
On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote:
> Maybe I'm not understanding all the nuances of the stated goal but doesn't
> RPZ handle this?

Was my first thought as well, works fine for me.

In named.conf:

options {
// RPZ zone
// Source: https://deteque.com/m3aawg-bind-training/named.conf
response-policy {
zone "rpz.local";
};
};

// Response Policy Zone
zone "rpz.local" {
type primary;
file "/path/to/rpz.local.db";
};



In rpz.local.db:

$TTL 300

@   IN  SOA localhost. admin.localhost. (
1   ; Serial number
60  ; Refresh every minute
60  ; Retry every minute
43200   ; Expire in 5 days
60 ); Negative cache TTL 1 minute
IN  NS  LOCALHOST.

; Examples
example.net IN  CNAME   localhost.



Note that the public domain name records to be redirected via RPZ cannot have a 
trailing 
dot.

-- 
Met vriendelijke groet,
Michael De Roover

Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RHEL, Rocky, Fedora rpm 9.20.7

2025-03-19 Thread Carl Byington via bind-users 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCZ9r9bxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsHnVgCgguREoXM1LVnbHCuVdFkR0ryikIMA
n0Xio5ACFVCAie3FK4LniSZUUV5K
=kJqY
-END PGP SIGNATURE-



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading the Bind Server issue

2025-03-19 Thread Jeremy C. Reed 
On Wed, 19 Mar 2025, Lowry-Schiller, Dell M CTR (USA) via bind-users wrote:

> I run this command and it works fine   ./configure --prefix=/usr/local/b
> ind-9.9.6 --sysconfdir=/etc --localstatedir=/var --enable-threads --with-ope
> nssl

I suspect this configure step did not work fine
or you ran the "make" in a different directory.

> Then I run the command make this is where I get the error message.
>                       Error message: [root@rhel-nbind2 bind-9.20.6]# make
>                                 make: *** No targets specified and no makefi
> le found.  Stop-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Ondřej Surý 
Hi Mónika,

I concur the documentation is a bit scarce, have you looked at the existing 
plugins? This might give you a little bit of guidance.

Additionally, we have at least one more MR with the unfinished plugin in the 
GitLab. It’s kind of old, but it is a different from the filter_a/filter_ 
plugins.

We would be happy to accept any work that extends the plugins API if you need 
one.

For constructing the modified message, I am afraid there’s nothing like 
“developer’s documentation”, you are the first one who asked about the plugins 
API in years.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 19. 3. 2025, at 19:54, Mónika Kiss  wrote:
> Properly constructing and returning a custom DNS response.
> Plugin Development Guidance:
> Are there official documentation or examples for writing custom BIND 9 
> plugins?
> What are the recommended hook points for intercepting and modifying DNS 
> responses?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Mónika Kiss 
Dear BIND Users,

My name is Monika Kiss and I am currently working on a custom DNS
filtering plugin for BIND 9 and I would appreciate your guidance on a few
technical aspects. My goal is to intercept certain DNS queries and return a
custom IP address instead of forwarding them to an upstream resolver.

Context:

   - I am using BIND 9’s plugin system to implement DNS filtering. (BIND9
   version 9.20.6 on Ubuntu 22.04 )
   - In specific cases (e.g., for high-risk domains), I want to return a
   predefined IP address (e.g., 192.168.1.100) instead of resolving the query
   normally.
   - I have implemented a plugin, and I am hooking into
   NS_QUERY_START_BEGIN to analyze and potentially modify responses.

Challenges & Questions:

   - Properly constructing and returning a custom DNS response.
   - Plugin Development Guidance:
  - Are there official documentation or examples for writing custom
  BIND 9 plugins?
  - What are the recommended hook points for intercepting and modifying
  DNS responses?

I would be very grateful for any insights, documentation, or example
implementations that could help me achieve this functionality. Thank you in
advance for your support!


*Best regards,*

Monika Kiss
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Upgrading the Bind Server issue

2025-03-19 Thread Marco Moock 
Am 19.03.2025 um 13:23:09 Uhr schrieb Lowry-Schiller, Dell M CTR
\(USA\) via bind-users:

> Message: I am following the instructions provided in the knowledge
> base and I am having issues with the upgrade of my bind server to
> version 9.20.6 I am currently on version BIND 9.16.23-RH

This indicates you are using RedHat?
If so, I recommend using the release that comes with your operating
system, this is much easier and tested.

> I run this command and it works fine   ./configure
> --prefix=/usr/local/bind-9.9.6 --sysconfdir=/etc --localstatedir=/var
> --enable-threads --with-openssl
> 
> Then I run the command make this is where I get the error message.
>   Error message: [root@rhel-nbind2 bind-9.20.6]#
> make make: *** No targets specified and no makefile found.  Stop
> I am using this URL: https://kb.isc.org/docs/aa-00648

Run ll and in the folder and post it here if you really want to compile
yourself.


-- 
Gruß
Marco

Send unsolicited bulk mail to 1742386989mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Ondřej Surý 
Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a way to add the classification to the message processing and then the RPZ processing could read the classification and take an action?But that’s quite a huge chunk of work.As I said, there was an attempt to rewrite dns64 as a plugin: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/968/diffsIt is outdated, but it does synthesize DNS messages on the fly, so it might be a good starting point.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 19. 3. 2025, at 21:40, Mónika Kiss  wrote:Hello,Thank you for your response.I have a domain categorization program written in C that dynamically determines the risk level of a queried domain.I need to integrate this categorization logic into a BIND 9 plugin that:Calls the categorization function to analyze each incoming DNS query.Modifies the DNS response based on the categorization result:If the domain is categorized as high risk, return a custom IP address (e.g., 192.168.1.100) instead of resolving the query. Otherwise, allow the query to proceed to the upstream DNS resolver as usual.I think I can't do this with the RPZ.Best regards,MonikaOn Wed, Mar 19, 2025 at 4:19 PM Michael De Roover  wrote:



On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote:
> Maybe I'm not understanding all the nuances of the stated goal but doesn't
> RPZ handle this?
Was my first thought as well, works fine for me.
In named.conf:
options {
    // RPZ zone
    // Source: https://deteque.com/m3aawg-bind-training/named.conf
    response-policy {
        zone "rpz.local";
    };
};
// Response Policy Zone
zone "rpz.local" {
    type primary;
    file "/path/to/rpz.local.db";
};

In rpz.local.db:
$TTL 300
@   IN  SOA localhost. admin.localhost. (
    1   ; Serial number
    60  ; Refresh every minute
    60  ; Retry every minute
    43200   ; Expire in 5 days
    60 )    ; Negative cache TTL 1 minute
    IN  NS  LOCALHOST.
; Examples
example.net IN  CNAME   localhost.

Note that the public domain name records to be redirected via RPZ cannot have a trailing dot.
-- 
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Ondřej Surý 
Michael,

you can hardly create a static list from all of the domains that can possibly 
exists.

I do understand the usefulness of dynamic classification.

There’s just not a straightforward interface for it now. Somebody will have to 
invest into writing this :shrug:

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 19. 3. 2025, at 21:51, Michael De Roover  wrote:
> 
> On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote:
>> Hello,
>> 
>> Thank you for your response.
>> 
>> I have a domain categorization program written in C that dynamically
>> determines the risk level of a queried domain.
>> I need to integrate this categorization logic into a BIND 9 plugin that:
>> 
>>   - Calls the categorization function to analyze each incoming DNS query.
>>   - Modifies the DNS response based on the categorization result:
>>  - If the domain is categorized as high risk, return a custom IP
>>  address (e.g., 192.168.1.100) instead of resolving the query.
>>  - Otherwise, allow the query to proceed to the upstream DNS resolver
>>  as usual.
>>   -
>> 
>> I think I can't do this with the RPZ.
>> 
>> Best regards,
>> Monika
> 
> Hi Monika,
> 
> If it's output from a program, you'll probably want the zone to dynamically
> respond to updates yes... There are two ways I could think of going about
> this.
> 
> The first one is using static zone files, and having your program build zone
> files as needed, then pushing them into the server and restarting BIND. This 
> is
> how I do it for my zones, albeit not very real-time at all. I guess it could
> work if the updates are done only a few times a day.
> 
> The second one is to use RPZ alongside dynamic DNS updates. I haven't done
> that in my networks, you'll have to look that up or ask someone else. But with
> that, I could imagine that it would allow your program to very quickly push
> new records based on its findings.
> 
> That said though, where is this program running? For DNS monitoring, a good
> vantage point would be the DNS server itself running tcpdump and/or Wireshark
> on port 53 (both TCP and UDP). Meanwhile for traffic in general, the gateway 
> or
> a forward proxy server may be able to give better results (but encrypted 
> traffic
> would be a pain to deal with).
> 
> --
> Met vriendelijke groet,
> Michael De Roover
> 
> Mail: i...@nixmagic.com
> Web: michael.de.roover.eu.org
> 
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Michael De Roover 
On Wednesday, March 19, 2025 3:40:28 PM CET Mónika Kiss wrote:
> Hello,
> 
> Thank you for your response.
> 
> I have a domain categorization program written in C that dynamically
> determines the risk level of a queried domain.
> I need to integrate this categorization logic into a BIND 9 plugin that:
> 
>- Calls the categorization function to analyze each incoming DNS query.
>- Modifies the DNS response based on the categorization result:
>   - If the domain is categorized as high risk, return a custom IP
>   address (e.g., 192.168.1.100) instead of resolving the query.
>   - Otherwise, allow the query to proceed to the upstream DNS resolver
>   as usual.
>-
> 
> I think I can't do this with the RPZ.
> 
> Best regards,
> Monika

Hi Monika,

If it's output from a program, you'll probably want the zone to dynamically 
respond to updates yes... There are two ways I could think of going about 
this.

The first one is using static zone files, and having your program build zone 
files as needed, then pushing them into the server and restarting BIND. This is 
how I do it for my zones, albeit not very real-time at all. I guess it could 
work if the updates are done only a few times a day.

The second one is to use RPZ alongside dynamic DNS updates. I haven't done 
that in my networks, you'll have to look that up or ask someone else. But with 
that, I could imagine that it would allow your program to very quickly push 
new records based on its findings.

That said though, where is this program running? For DNS monitoring, a good 
vantage point would be the DNS server itself running tcpdump and/or Wireshark 
on port 53 (both TCP and UDP). Meanwhile for traffic in general, the gateway or 
a forward proxy server may be able to give better results (but encrypted 
traffic 
would be a pain to deal with).

-- 
Met vriendelijke groet,
Michael De Roover

Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

2025-03-19 Thread Ondřej Surý 
Hi again,if this is something that is going to be open-source and the whole BIND 9 users community would benefit from this, I would love to hear and see more.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 19. 3. 2025, at 21:40, Mónika Kiss  wrote:Hello,Thank you for your response.I have a domain categorization program written in C that dynamically determines the risk level of a queried domain.I need to integrate this categorization logic into a BIND 9 plugin that:Calls the categorization function to analyze each incoming DNS query.Modifies the DNS response based on the categorization result:If the domain is categorized as high risk, return a custom IP address (e.g., 192.168.1.100) instead of resolving the query. Otherwise, allow the query to proceed to the upstream DNS resolver as usual.I think I can't do this with the RPZ.Best regards,MonikaOn Wed, Mar 19, 2025 at 4:19 PM Michael De Roover  wrote:



On Wednesday, March 19, 2025 3:01:48 PM CET Bob McDonald wrote:
> Maybe I'm not understanding all the nuances of the stated goal but doesn't
> RPZ handle this?
Was my first thought as well, works fine for me.
In named.conf:
options {
    // RPZ zone
    // Source: https://deteque.com/m3aawg-bind-training/named.conf
    response-policy {
        zone "rpz.local";
    };
};
// Response Policy Zone
zone "rpz.local" {
    type primary;
    file "/path/to/rpz.local.db";
};

In rpz.local.db:
$TTL 300
@   IN  SOA localhost. admin.localhost. (
    1   ; Serial number
    60  ; Refresh every minute
    60  ; Retry every minute
    43200   ; Expire in 5 days
    60 )    ; Negative cache TTL 1 minute
    IN  NS  LOCALHOST.
; Examples
example.net IN  CNAME   localhost.

Note that the public domain name records to be redirected via RPZ cannot have a trailing dot.
-- 
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users