Cool Solution - Simple domain blacklisting with DNS

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3
Produktlogo UCS@School Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article will demonstrate one way to prevent your network users reaching certain websites.
The local domain name server is going to return different, settable IP addresses for every blacklisted domain which the requesting client is then trying to reach instead of their original domain. Nothing has to be configured on the client side for this solution to work.


Installation

Install the UCS DNS blacklist package:

univention-install univention-bind-blacklist

After installing the package, the package can be configured

Configuration

You can now create your own blacklists in the following local folder:

/etc/univention/bind-blacklist/

Here, you can create text files containing one domain name per line. Each of them and all their subdomains are going to be blocked.
After creating the lists, you will have to configure the following UCR variables:

UCR Variable Description Example
dns/blacklist/ipv4 The IPv4 that will be sent back as answer to the request 127.0.0.1
dns/blacklist/ipv6 The IPv6 that will be sent back as answer to the request  ::1

You should enter the IPv4 and IPv6 into both variables respectively, which you want to be given back as the IP addresses of the blocked domain. You can either enter the localhost IP address, which will result in the requesting client trying to reach himself, or you can enter the IP address of a server, which can offer a blocked page under this IP address.

You will have to call the following script to regenerate the bind9 database after adding or changing your files:

/usr/share/univention-bind-blacklist/univention-bind-blacklist

Prevent bypass by using other DNS servers

The easiest way to prevent users from bypassing this blacklist is by using a router or firewall.
One option is, to simply block all DNS requests and their used port, if the target isn't your UCS server. Also possible could be DNS Hijacking, which means that you redirect all DNS requests originally not meant for your UCS server to it. This can easily be done through port forwarding and has been successfully tested with pfSense.

Automatically integrate externally maintained blacklists

You can also combine this solution with the Shallalist Downloader solution, if you want to automate blocking dangerous and/or unwanted websites.
With this solution, you are able to automatically download the newest blacklists maintained by Shalla Secure Services.
They will automatically be blocked in your UCS DNS Server after both cool solutions are installed as described and the UCR Variable dns/blacklist/record/domains is configured as explained in the Shalla List downloader solution.
Everything else will be done automatically.

Personal tools