Re: Custom DNS Filtering Plugin in BIND 9

[Ondřej Surý]

Greg,

not really, but unless the querying is blazingly fast, it needs to use 
asynchronous processing,
and we don't have that now.  It is not impossible to write something like this, 
but with no
async-await mechanism in C, it might get complicated very soon.  So, I would 
cross that
bridge only if you need to - starting with blazingly fast classification would 
be a better option.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 21. 3. 2025, at 18:11, Greg Choules via bind-users 
>  wrote:
> 
> My take on this is that DNS resolver code is written to (try and) be as fast 
> and efficient as possible and work pretty much entirely in RAM because that's 
> the quickest storage available. 
> 
> Anything that interrupts that and tries to access some external database, 
> however it's done, is bound to slow down query processing. Think of why 
> resolvers cache and how much delay is introduced when they need to recurse.
> 
> I think the data needs to be in the resolver, not external to it. Off the top 
> of my head, use a special zone, perhaps (in a similar way to RPZ) that is 
> updated dynamically by the external source of truth. That is, keep the engine 
> that is gathering, sorting, processing and ultimately maintaining the 
> database that *is* the source of truth separate from the thing that is 
> handling queries in real time.
> 
> /soapbox.
> Cheers, Greg
> 
> On Fri, 21 Mar 2025 at 07:32, Mónika Kiss  wrote:
> Hi,
> Thank you again for your time.
> I wanted to provide some additional context and clarify a few key aspects of 
> my use case:
> • I already maintain a large, pre-existing file containing comprehensive 
> domain categorization data.
> • This file is updated externally and serves as the sole source of truth 
> for categorization decisions.
> • As such, I do not wish to store any additional data within the plugin, 
> memory, or any BIND-internal structures.
> • Instead, I want the plugin to dynamically query this data by calling my 
> existing C program or SDK, which reads and evaluates domains in real time.
> Desired Behavior
> • On each DNS query, the plugin should:
> • Extract the domain from the query.
> • Call my categorization logic (via C function or subprocess).
> • Based on the result:
> • If High Risk: Immediately stop further resolution and return a 
> custom response (e.g., a custom IP address).
> • Otherwise: Allow the query to continue to upstream resolvers as 
> normal.
> • The plugin will be handling a very high volume of DNS queries, so 
> performance is critical.
> 
> Best regards,
> Monika
> 
> On Thu, Mar 20, 2025 at 10:25 PM Grant Taylor via bind-users 
>  wrote:
> On 3/19/25 10:02 AM, Ondřej Surý wrote:
> > Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a 
> > way to add the classification to the message processing and then the RPZ 
> > processing could read the classification and take an action?
> 
> This sounds like my understanding of what the Response Policy Service 
> (RPS) is supposed to achieve.
> 
> "The DNS Response Policy Service (DNSRPS) API, is a mechanism to allow 
> named to use an external response policy provider.  This allows the same 
> type of policy filtering as standard RPZ, but can reduce the workload 
> for named, particularly when using large and frequently updated policy 
> zones.  It also enables named to share response policy providers with 
> other DNS implementations such as Unbound.  Thanks to Vernon Schryver 
> and Farsight Security for the contribution."
> 
> Link - BIND 9.12 development is getting closer to completion!
>   - https://www.isc.org/blogs/bind-9-12-almost-ready/
> 
> I have long considered RPS for DNS to be like the milter API for email.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc

Bind internal name space geo-proximity

[Karol Nowicki via bind-users]

Hello Everyone 
Do we have any option to define order of domain delegation depends from query 
location ? 
For example
google.com. NS  dns1.company.com.google.com. NS  dns2.company.com.
All in one zone file. 
Now when client’s query comes from north america then delegates only to dns1, 
when query comes from Europe then delegates to dns2

Wysłane z Yahoo Mail do iPhone
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

isc-bind service shutdown after update at 9.20.7-1.2.el8

[Langlois Joël via bind-users]

Hi everyone,

  After updating my isc-bind packages from 9.20.6-1.2 to 9.20.7-1.2, i try 
to start the service but it always « shutdown » by himself. My server is a 
Rocky Linux 8.10 and with the old version (9.20.6)  everything is working fine 
since many mounths. Here is a the part of the output log (with debug enable) 
where i saw the service going down (see netmgr ans shutting down below)! Any 
idea someone?

Thanks in advance
.
.
.
fetch: ultradns.info/NS
fetch: ultradns.co.uk/NS
fetch: ultradns.co.uk/NS
fetch: rds.ca/A
fetch: rds.ca/A
zone_maintenance: managed-keys-zone: enter
zone_dump: managed-keys-zone: enter
zone__settimer: managed-keys-zone: enter
dump_done: managed-keys-zone: enter
zone_journal_compact: managed-keys-zone: target journal size 0
journal file managed-keys.bind.jnw does not exist, creating it
fetch: rds.ca/A
fetch: rds.ca/A
fetch: rds.ca/A
fetch: rds.ca/A
netmgr 0x7fa151a7b1e0: Shutting down network manager
netmgr 0x7fa151a7b1e0: Shutting down network manager worker on loop 
0x7fa151a39000(0)
no longer listening on 127.0.0.1#53
no longer listening on X.X.X.60#53
stopping command channel on 127.0.0.1#953
loop exclusive mode: starting
loop exclusive mode: started
shutting down
managed-keys-zone: final reference detached
.
.

# systemctl status isc-bind-named.service
● isc-bind-named.service
   Loaded: loaded (/usr/lib/systemd/system/isc-bind-named.service; enabled; 
vendor preset: disabled)
   Active: failed (Result: timeout) since Fri 2025-03-21 14:47:08 EDT; 51min ago
  Process: 1531 ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f 
$OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1531 (code=exited, status=0/SUCCESS)

Mar 21 14:45:37 dns_server named[1531]: checkhints: b.root-servers.net/ 
(2801:1b8:10::b) missing from hints
Mar 21 14:45:37  dns_server  named[1531]: checkhints: b.root-servers.net/ 
(2001:500:200::b) extra record in hints
Mar 21 14:47:07 dns_server  systemd[1]: isc-bind-named.service: start operation 
timed out. Terminating.
Mar 21 14:47:07 dns_server  named[1531]: no longer listening on 127.0.0.1#53
Mar 21 14:47:07 dns_server  named[1531]: no longer listening on X.X.X.60#53
Mar 21 14:47:07 dns_server  named[1531]: stopping command channel on 
127.0.0.1#953
Mar 21 14:47:07 dns_server  named[1531]: shutting down
Mar 21 14:47:08 dns_server   named[1531]: exiting
Mar 21 14:47:08 dns_server   systemd[1]: isc-bind-named.service: Failed with 
result 'timeout'.
Mar 21 14:47:08 dns_server  systemd[1]: Failed to start isc-bind-named.service.
#
--
Joe
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS Filtering Plugin in BIND 9

[Ondřej Surý]

It might, except it has been removed (now I admit I don’t remember in which 
version), because it was proprietary and never had any real users. It should 
work while it is still available, but I am not really keen on resurrecting the 
API for yet another proprietary thing.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 21. 3. 2025, at 21:24, Grant Taylor via bind-users 
>  wrote:
> 
> Based on my understanding, RPS should be able to do all of those things.
> 
> I would encourage you to spend a few (more) minutes reviewing RPS as I think 
> that what you're wanting to do is the thing that RPS is intended to solve.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

[Ondřej Surý]

This looks like named is not sending the systemd notifications to the 
supervisor. Is there anything unusual on your system? Are those stock ISC 
packages?

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 22. 3. 2025, at 2:44, Langlois Joël via bind-users 
>  wrote:
> 
> Hi everyone,
>  
>   After updating my isc-bind packages from 9.20.6-1.2 to 9.20.7-1.2, i 
> try to start the service but it always « shutdown » by himself. My server is 
> a Rocky Linux 8.10 and with the old version (9.20.6)  everything is working 
> fine since many mounths. Here is a the part of the output log (with debug 
> enable) where i saw the service going down (see netmgr ans shutting down 
> below)! Any idea someone?
>  
> Thanks in advance
> .
> .
> .
> fetch: ultradns.info/NS
> fetch: ultradns.co.uk/NS
> fetch: ultradns.co.uk/NS
> fetch: rds.ca/A
> fetch: rds.ca/A
> zone_maintenance: managed-keys-zone: enter
> zone_dump: managed-keys-zone: enter
> zone__settimer: managed-keys-zone: enter
> dump_done: managed-keys-zone: enter
> zone_journal_compact: managed-keys-zone: target journal size 0
> journal file managed-keys.bind.jnw does not exist, creating it
> fetch: rds.ca/A
> fetch: rds.ca/A
> fetch: rds.ca/A
> fetch: rds.ca/A
> netmgr 0x7fa151a7b1e0: Shutting down network manager
> netmgr 0x7fa151a7b1e0: Shutting down network manager worker on loop 
> 0x7fa151a39000(0)
> no longer listening on 127.0.0.1#53
> no longer listening on X.X.X.60#53
> stopping command channel on 127.0.0.1#953
> loop exclusive mode: starting
> loop exclusive mode: started
> shutting down
> managed-keys-zone: final reference detached
> .
> .
> 
> # systemctl status isc-bind-named.service
> ● isc-bind-named.service
>Loaded: loaded (/usr/lib/systemd/system/isc-bind-named.service; enabled; 
> vendor preset: disabled)
>Active: failed (Result: timeout) since Fri 2025-03-21 14:47:08 EDT; 51min 
> ago
>   Process: 1531 ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f 
> $OPTIONS (code=exited, status=0/SUCCESS)
> Main PID: 1531 (code=exited, status=0/SUCCESS)
>  
> Mar 21 14:45:37 dns_server named[1531]: checkhints: b.root-servers.net/ 
> (2801:1b8:10::b) missing from hints
> Mar 21 14:45:37  dns_server  named[1531]: checkhints: b.root-servers.net/ 
> (2001:500:200::b) extra record in hints
> Mar 21 14:47:07 dns_server  systemd[1]: isc-bind-named.service: start 
> operation timed out. Terminating.
> Mar 21 14:47:07 dns_server  named[1531]: no longer listening on 127.0.0.1#53
> Mar 21 14:47:07 dns_server  named[1531]: no longer listening on X.X.X.60#53
> Mar 21 14:47:07 dns_server  named[1531]: stopping command channel on 
> 127.0.0.1#953
> Mar 21 14:47:07 dns_server  named[1531]: shutting down
> Mar 21 14:47:08 dns_server   named[1531]: exiting
> Mar 21 14:47:08 dns_server   systemd[1]: isc-bind-named.service: Failed with 
> result 'timeout'.
> Mar 21 14:47:08 dns_server  systemd[1]: Failed to start 
> isc-bind-named.service.
> #
> --
> Joe
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind internal name space geo-proximity

[Greg Choules]

Hi Karol.
The DNS model is that if a zone contains multiple records of the same type with 
the same owner name - e.g. google.com/NS  - then all 
answers are returned in a response to a query: this is known as an RRSET. In 
the case of NS records, all RRSETs from anywhere must be the same, apart from 
the order of records in the set, otherwise the view of the DNS hierarchy 
becomes inconsistent. This is described here: 
https://datatracker.ietf.org/doc/html/rfc1034#section-2.2

If you use the example you provided, an NS query for google.com currently get 
these four answers:

;; ANSWER SECTION:
google.com. 341515  IN  NS  ns1.google.com.
google.com. 341515  IN  NS  ns4.google.com.
google.com. 341515  IN  NS  ns3.google.com.
google.com. 341515  IN  NS  ns2.google.com.

Note that, depending on how the authoritative server providing those answers 
has been configured they may be listed in the same order each time or in a 
random order. So it is not reliable, nor correct anyway, to provide only one of 
these records based on who is querying.

One feature you might want to take a look at is BIND’s GeoIP support, described 
here: https://bind9.readthedocs.io/en/latest/chapter7.html#access-control-lists 
here: 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-geoip-directory
  and here: https://kb.isc.org/docs/aa-00971 

I hope that helps.
Cheers, Greg

> On 21 Mar 2025, at 22:16, Karol Nowicki via bind-users 
>  wrote:
> 
> Hello Everyone 
> 
> Do we have any option to define order of domain delegation depends from query 
> location ? 
> 
> For example
> 
> google.com. NS  dns1.company.com.
> google.com. NS  dns2.company.com.
> 
> All in one zone file. 
> 
> Now when client’s query comes from north america then delegates only to dns1, 
> when query comes from Europe then delegates to dns2
> 
> 
> Wysłane z Yahoo Mail do iPhone 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users