Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
| bind_whitelist [2017-04-12T11:50:55Z] – fusl | bind_whitelist [2021-11-30T12:10:46Z] (current) – [BIND-whitelist-9.3.4-P1.README] Vip00722 | ||
|---|---|---|---|
| Line 14: | Line 14: | ||
| This should resolve with a valid ANSWER section. Now you should be able to repeat the first dig command and have the query return with a valid answer. | This should resolve with a valid ANSWER section. Now you should be able to repeat the first dig command and have the query return with a valid answer. | ||
| - | === BIND-whitelist-9.3.4-P1.README === | ||
| - | $Id: BIND-whitelist.README, | ||
| - | | ||
| - | BIND-whitelist (for BIND 9.3.4-P1) | ||
| - | | ||
| - | Copyright (c) 2011, Brian Koontz < | ||
| - | | ||
| - | This file is part of BIND-whitelist. | ||
| - | | ||
| - | BIND-whitelist is free software: you can redistribute it and/or modify | ||
| - | it under the terms of the GNU General Public License as published by | ||
| - | the Free Software Foundation, either version 3 of the License, or | ||
| - | (at your option) any later version. | ||
| - | | ||
| - | BIND-whitelist is distributed in the hope that it will be useful, | ||
| - | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| - | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
| - | GNU General Public License for more details. | ||
| - | | ||
| - | You should have received a copy of the GNU General Public License | ||
| - | along with BIND-whitelist. | ||
| - | | ||
| - | | ||
| - | This README belongs to a collection of files and patches that | ||
| - | implements an IP-based whitelist for BIND. These files are | ||
| - | version-specific and will most likely not work with versions of | ||
| - | BIND other than that version specified at the top of this file. | ||
| - | | ||
| - | WHAT IT DOES | ||
| - | | ||
| - | BIND-whitelist implements an IP-based whitelist at the query | ||
| - | level for the named daemon. | ||
| - | query any of the existing OpenNIC TLDs are added to the | ||
| - | whitelist, along with the time of the query. | ||
| - | whitelist are permitted to query any TLD (OpenNIC or ICANN). | ||
| - | not in the whitelist must query an OpenNIC TLD first before | ||
| - | subsequent ICANN TLDs can be queried. | ||
| - | whitelist, queries against ICANN TLDs are returned as REFUSED. | ||
| - | | ||
| - | IPs are removed from the whitelist after a specified timeout | ||
| - | period (default is 1 month). Each time an OpenNIC TLD is queried, | ||
| - | the timestamp is updated and the timeout period " | ||
| - | | ||
| - | PREREQUISITES | ||
| - | | ||
| - | In addition to the specific version of BIND specified above, this | ||
| - | distribution requires Berkeley DB 4. The BDB 4 utilities | ||
| - | (especially db_stat and db_dump) are not required, but are very | ||
| - | useful for monitoring whitelist activity. | ||
| - | | ||
| - | INSTALLATION | ||
| - | | ||
| - | The BIND source tree for the version specified above needs to be | ||
| - | downloaded from http:// | ||
| - | | ||
| - | Prior to compiling BIND per the instructions included in the | ||
| - | distribution, | ||
| - | in the top-level BIND source tree directory. | ||
| - | BIND-whitelist-< | ||
| - | tree. Make sure the patch file is in the top-level directory, | ||
| - | the execute the patch utility: | ||
| - | | ||
| - | patch -p0 < BIND-whitelist-< | ||
| - | | ||
| - | After applying the patch, open bin/ | ||
| - | the DATABASE and TTL (time-to-live) defines as appropriate. | ||
| - | in mind that if you're running named in a chroot jail (using the | ||
| - | named -t option), the DATABASE path should reflect the path | ||
| - | within the chroot environment. | ||
| - | | ||
| - | Compile and install BIND per the instructions provided in the | ||
| - | distribution. | ||
| - | BIND installation, | ||
| - | run " | ||
| - | manually copy this to wherever named is currently installed.) | ||
| - | | ||
| - | The whitelist database must be created and initialized prior to | ||
| - | use. | ||
| - | | ||
| - | Compile the create_db.c file using the following command: | ||
| - | | ||
| - | gcc -O2 create_db.c -o create_db -ldb | ||
| - | | ||
| - | You should now have a file called whitelist.db. | ||
| - | following command to view the contents: | ||
| - | | ||
| - | db_dump -p ./ | ||
| - | | ||
| - | You should see output similar to the following: | ||
| - | | ||
| - | VERSION=3 | ||
| - | format=print | ||
| - | type=btree | ||
| - | db_pagesize=4096 | ||
| - | HEADER=END | ||
| - | bbs | ||
| - | |||
| - | bzh | ||
| - | |||
| - | dyn | ||
| - | |||
| - | free | ||
| - | |||
| - | fur | ||
| - | |||
| - | geek | ||
| - | |||
| - | | ||
| - | |||
| - | indy | ||
| - | |||
| - | ing | ||
| - | |||
| - | micro | ||
| - | |||
| - | null | ||
| - | |||
| - | oss | ||
| - | |||
| - | | ||
| - | |||
| - | DATA=END | ||
| - | | ||
| - | If the output matches the above, copy the whitelist.db file to | ||
| - | whatever you set DATABASE to in whitelist.h (keep in mind that | ||
| - | you will need to prepend your chroot path to this value if you | ||
| - | are running named in a chroot jail). | ||
| - | | ||
| - | Stop and restart named. | ||
| - | | ||
| - | / | ||
| - | / | ||
| - | | ||
| - | TESTING THE INSTALLATION | ||
| - | | ||
| - | Test by trying to resolve an ICANN TLD: | ||
| - | | ||
| - | dig @<your nameserver IP> www.google.com | ||
| - | | ||
| - | The return value should be REFUSED. | ||
| - | | ||
| - | Now attempt to resolve an OpenNIC TLD: | ||
| - | | ||
| - | dig @<your nameserver IP> www.geek | ||
| - | | ||
| - | You should receive a valid ANSWER section back. | ||
| - | | ||
| - | Now retest with another ICANN TLD. It should now resolve | ||
| - | normally. | ||
| - | | ||
| - | You can routinely monitor the contents of the whitelist database | ||
| - | by using db_dump or, alternatively, | ||
| - | | ||
| - | db_dump -p / | ||
| - | | ||
| - | db_stat -d / | ||