hosts-blocklists icon indicating copy to clipboard operation
hosts-blocklists copied to clipboard

Published 20 hours ago verified publisher icon notracking

BIND9 support

Open Avamander opened this issue 2 years ago • 7 comments

It would be nice if all these hosts could be blocked using BIND9 as the local caching resolver.

Avamander avatar Jul 19 '21 15:07 Avamander

Can you provide a sample configuration? I will have a look at this at some point (could take some time, as adding new parsers requires quite some testing / updating of scripts).

notracking avatar Aug 01 '21 09:08 notracking

E.g /etc/bind/db.adblock.

$TTL     86400   ; one day
@ IN SOA intradns.mydomain. root.mydomain. (
    2015082801   ; serial number YYMMDDNN
         28800   ; refresh 8 hours
          7200   ; retry 2 hours
        864000   ; expire 10 days
         86400 ) ; min ttl 1 day
     NS intradns.mydomain.
@ IN A  192.168.2.60 # address for domain itself
* IN A  192.168.2.60 # address for all subdomains

In /etc/bind/zones/adblock one can create lines like these:

zone "adnetwork1.com" IN { type master; notify no; file "/etc/bind/db.adblock"; };
zone "some.adnetwork2.com" IN { type master; notify no; file "/etc/bind/db.adblock"; };

There's a few examples here as well: https://tk-sls.de/wp/3827/3 https://github.com/Trellmor/bind-adblock https://medium.com/@d.robertson/dns-level-ad-blocking-on-lan-with-bind-rpz-32dbfdf2e4fe

Avamander avatar Aug 01 '21 13:08 Avamander

This works for me. I have BSD, so if you are on linux, swap out fetch -o with wget -O

#!/usr/local/bin/perl

# blockdomains2bind.pl - script to convert notracking domain list to ISC Bind config
# Mon Apr 11 16:07:41 PDT 2022, created, rudy
#
# Usage: perl blockdomains2bind.pl hostnames
# Usage: perl blockdomains2bind.pl domains
#
# Force regeneration of conf file:
#  perl blockdomains2bind.pl hostnames 1
#
# I found the domains list did not work for me... 
#
# add this to named.conf: 
#   include "/usr/local/etc/namedb/blockdomains.conf";
# or
#   include "/usr/local/etc/namedb/blockhostnames.conf";

use strict;

my ($file, $conf, $url, $regex);

my $mode = shift || 'hostnames';  # or domains!
my $force = shift || undef;

if ($mode eq 'hostnames') {
    $file = '/usr/local/etc/namedb/blockhostnames.txt';
    $conf = '/usr/local/etc/namedb/blockhostnames.conf';
    $url = 'https://github.com/notracking/hosts-blocklists/raw/master/hostnames.txt';
    # example line: 0.0.0.0 0grex12.no-ip.org
    $regex = '^0.0.0.0 (\S+)$';
} else {
    $file = '/usr/local/etc/namedb/blockdomains.txt';
    $conf = '/usr/local/etc/namedb/blockdomains.conf';
    $url = 'https://github.com/notracking/hosts-blocklists/raw/master/domains.txt';
    # example line: address=/2cyp.com/0.0.0.0
    $regex = '^address=/([^/]+)/0.0.0.0$';
}

print "BIND9 integration... add this line to your named.conf\n";
print "  include \"$conf\";\n";
print "view your logs (/var/log/messages ?) and check for errors!\n";

if (! $force && -f $conf && -f $file && -M $conf < -M $file) {
    print "Exiting, config more recent than data\n";
    exit;
} elsif (-f $conf && -f $file && -M $file > 1) {
    print "Fetching $file\n";
    `fetch -o $file '$url'`;
} else {
    printf("Found $file %.2f days old\n", -M $file );
}

open BLOCKLIST, "<$file" or die;
open CONF, ">$conf" or die;

while (<BLOCKLIST>) {
    /use-application-dns.net/ and next; # canary domain for dns over https
    /hearstnp/ and next; # sfchron
    if (m,$regex,) {
        print CONF "zone \"$1\" in { type primary; file \"master/blocklist.db\"; };\n";
    }
}
close BLOCKLIST;
close CONF;

exit;

print "Reloading Bind via rndc reload command\n";
`rndc reload`;

__END__

example blocklist.db ...

$TTL 3h
; Zone for bogus return... used for trackers to enable better privacy.
@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
    ; Serial, Refresh, Retry, Expire, Neg. cache TTL

; resolve to localhost + 1
@    A    127.0.0.2
*    A    127.0.0.2
@       AAAA    ::2
*       AAAA    ::2

rururudy avatar Apr 11 '22 17:04 rururudy

I had a shorter script that just did domains, but I found that it was blocking too much stuff. Reworked script to do either a 'hostnames' or 'domains' for bind9. I recommend hostnames -- this is based on my extensive 4 hours experience using this filter list. /s

rururudy avatar Apr 11 '22 23:04 rururudy

Can you provide a sample configuration? I will have a look at this at some point (could take some time, as adding new parsers requires quite some testing / updating of scripts).

Hers is the output:

zone "zzxxc0939.noip.me" in { type primary; file "master/blocklist.db"; };
zone "zzxxccllkkjj99.zapto.org" in { type primary; file "master/blocklist.db"; };
zone "zzxz.no-ip.biz" in { type primary; file "master/blocklist.db"; };
zone "zzz.onion.pet" in { type primary; file "master/blocklist.db"; };

rururudy avatar Apr 11 '22 23:04 rururudy

bump, plz make bind9 rpz support

alsyundawy avatar Sep 17 '22 19:09 alsyundawy

any update?

alsyundawy avatar Jun 07 '23 18:06 alsyundawy