Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
bind_whitelist [2017-04-12T11:50:55Z] – fusl | bind_whitelist [2021-11-30T12:10:46Z] (current) – [BIND-whitelist-9.3.4-P1.README] Vip00722 | ||
---|---|---|---|
Line 14: | Line 14: | ||
This should resolve with a valid ANSWER section. Now you should be able to repeat the first dig command and have the query return with a valid answer. | This should resolve with a valid ANSWER section. Now you should be able to repeat the first dig command and have the query return with a valid answer. | ||
- | === BIND-whitelist-9.3.4-P1.README === | ||
- | $Id: BIND-whitelist.README, | ||
- | | ||
- | BIND-whitelist (for BIND 9.3.4-P1) | ||
- | | ||
- | Copyright (c) 2011, Brian Koontz < | ||
- | | ||
- | This file is part of BIND-whitelist. | ||
- | | ||
- | BIND-whitelist is free software: you can redistribute it and/or modify | ||
- | it under the terms of the GNU General Public License as published by | ||
- | the Free Software Foundation, either version 3 of the License, or | ||
- | (at your option) any later version. | ||
- | | ||
- | BIND-whitelist is distributed in the hope that it will be useful, | ||
- | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
- | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
- | GNU General Public License for more details. | ||
- | | ||
- | You should have received a copy of the GNU General Public License | ||
- | along with BIND-whitelist. | ||
- | | ||
- | | ||
- | This README belongs to a collection of files and patches that | ||
- | implements an IP-based whitelist for BIND. These files are | ||
- | version-specific and will most likely not work with versions of | ||
- | BIND other than that version specified at the top of this file. | ||
- | | ||
- | WHAT IT DOES | ||
- | | ||
- | BIND-whitelist implements an IP-based whitelist at the query | ||
- | level for the named daemon. | ||
- | query any of the existing OpenNIC TLDs are added to the | ||
- | whitelist, along with the time of the query. | ||
- | whitelist are permitted to query any TLD (OpenNIC or ICANN). | ||
- | not in the whitelist must query an OpenNIC TLD first before | ||
- | subsequent ICANN TLDs can be queried. | ||
- | whitelist, queries against ICANN TLDs are returned as REFUSED. | ||
- | | ||
- | IPs are removed from the whitelist after a specified timeout | ||
- | period (default is 1 month). Each time an OpenNIC TLD is queried, | ||
- | the timestamp is updated and the timeout period " | ||
- | | ||
- | PREREQUISITES | ||
- | | ||
- | In addition to the specific version of BIND specified above, this | ||
- | distribution requires Berkeley DB 4. The BDB 4 utilities | ||
- | (especially db_stat and db_dump) are not required, but are very | ||
- | useful for monitoring whitelist activity. | ||
- | | ||
- | INSTALLATION | ||
- | | ||
- | The BIND source tree for the version specified above needs to be | ||
- | downloaded from http:// | ||
- | | ||
- | Prior to compiling BIND per the instructions included in the | ||
- | distribution, | ||
- | in the top-level BIND source tree directory. | ||
- | BIND-whitelist-< | ||
- | tree. Make sure the patch file is in the top-level directory, | ||
- | the execute the patch utility: | ||
- | | ||
- | patch -p0 < BIND-whitelist-< | ||
- | | ||
- | After applying the patch, open bin/ | ||
- | the DATABASE and TTL (time-to-live) defines as appropriate. | ||
- | in mind that if you're running named in a chroot jail (using the | ||
- | named -t option), the DATABASE path should reflect the path | ||
- | within the chroot environment. | ||
- | | ||
- | Compile and install BIND per the instructions provided in the | ||
- | distribution. | ||
- | BIND installation, | ||
- | run " | ||
- | manually copy this to wherever named is currently installed.) | ||
- | | ||
- | The whitelist database must be created and initialized prior to | ||
- | use. | ||
- | | ||
- | Compile the create_db.c file using the following command: | ||
- | | ||
- | gcc -O2 create_db.c -o create_db -ldb | ||
- | | ||
- | You should now have a file called whitelist.db. | ||
- | following command to view the contents: | ||
- | | ||
- | db_dump -p ./ | ||
- | | ||
- | You should see output similar to the following: | ||
- | | ||
- | VERSION=3 | ||
- | format=print | ||
- | type=btree | ||
- | db_pagesize=4096 | ||
- | HEADER=END | ||
- | bbs | ||
- | |||
- | bzh | ||
- | |||
- | dyn | ||
- | |||
- | free | ||
- | |||
- | fur | ||
- | |||
- | geek | ||
- | |||
- | | ||
- | |||
- | indy | ||
- | |||
- | ing | ||
- | |||
- | micro | ||
- | |||
- | null | ||
- | |||
- | oss | ||
- | |||
- | | ||
- | |||
- | DATA=END | ||
- | | ||
- | If the output matches the above, copy the whitelist.db file to | ||
- | whatever you set DATABASE to in whitelist.h (keep in mind that | ||
- | you will need to prepend your chroot path to this value if you | ||
- | are running named in a chroot jail). | ||
- | | ||
- | Stop and restart named. | ||
- | | ||
- | / | ||
- | / | ||
- | | ||
- | TESTING THE INSTALLATION | ||
- | | ||
- | Test by trying to resolve an ICANN TLD: | ||
- | | ||
- | dig @<your nameserver IP> www.google.com | ||
- | | ||
- | The return value should be REFUSED. | ||
- | | ||
- | Now attempt to resolve an OpenNIC TLD: | ||
- | | ||
- | dig @<your nameserver IP> www.geek | ||
- | | ||
- | You should receive a valid ANSWER section back. | ||
- | | ||
- | Now retest with another ICANN TLD. It should now resolve | ||
- | normally. | ||
- | | ||
- | You can routinely monitor the contents of the whitelist database | ||
- | by using db_dump or, alternatively, | ||
- | | ||
- | db_dump -p / | ||
- | | ||
- | db_stat -d / | ||