[Discuss] conditional forwarding with bind
Matthew Gillen
me at mattgillen.net
Sat Dec 14 02:26:08 EST 2019
I've got bind running on my home network, and I black-hole a bunch of
stuff that is general internet hygiene.
Looking at setting up a kid-friendly subnet, I quickly came to the
conclusion that the most bang for my buck was blocking DNS for 'bad'
sites. (I know that there's a bunch of stuff that could slip through,
but setting up and monitoring proxies feels like a lot of work; plus the
kids aren't very computer savvy yet)
I found a few options, which seem to boil down to
a) find a list of domains to block and manually set up (by that I mean
script) dummy zone files
b) use something like https://www.opendns.com/setupguide/#familyshield
I was going for 'b', but what I wanted was for most of my network to use
my normal forwarding, but for a particular subnet to instead use the
OpenDNS FamilyShield servers as forwarders.
Finally figured out how to do that with views, but ultimately had to
disable DNSSEC for the view that was using the OpenDNS forwarders. Now
that I see how it works, I understand why they can't support DNSSEC (if
you go to a 'bad' url it will resolve to one of their webservers
explaining it was intentionally blocked and why; that spoofed response
is exactly what DNSSEC is supposed to prevent).
Losing DNSSEC pains me though, so looking at potentially going with
option 'a'. Are there free/open (but maintained) lists of domains that
can be used to blacklist content?
Thanks,
Matt
More information about the Discuss
mailing list