[Discuss] conditional forwarding with bind
Dan Ritter
dsr at randomstring.org
Sat Dec 14 07:39:03 EST 2019
Matthew Gillen wrote:
> I've got bind running on my home network, and I black-hole a bunch of
> stuff that is general internet hygiene.
>
> Looking at setting up a kid-friendly subnet, I quickly came to the
> conclusion that the most bang for my buck was blocking DNS for 'bad'
> sites. (I know that there's a bunch of stuff that could slip through,
> but setting up and monitoring proxies feels like a lot of work; plus the
> kids aren't very computer savvy yet)
>
> I found a few options, which seem to boil down to
> a) find a list of domains to block and manually set up (by that I mean
> script) dummy zone files
> b) use something like https://www.opendns.com/setupguide/#familyshield
>
> I was going for 'b', but what I wanted was for most of my network to use
> my normal forwarding, but for a particular subnet to instead use the
> OpenDNS FamilyShield servers as forwarders.
>
Have you considered using DHCP to:
- assign consistent IP addresses to particular MAC addresses
- offer an alternative DNS server to your second-class citizens
Then you either use the censorware DNS servers directly for
those devices, or set up a small DNS forwarder that does that.
> Finally figured out how to do that with views, but ultimately had to
> disable DNSSEC for the view that was using the OpenDNS forwarders. Now
> that I see how it works, I understand why they can't support DNSSEC (if
> you go to a 'bad' url it will resolve to one of their webservers
> explaining it was intentionally blocked and why; that spoofed response
> is exactly what DNSSEC is supposed to prevent).
>
> Losing DNSSEC pains me though, so looking at potentially going with
> option 'a'. Are there free/open (but maintained) lists of domains that
> can be used to blacklist content?
Many, many, many. "dns blacklist" and whatever specific terms
you want -- adult, porn, religion, drugs, horticulture... will
get you references.
For what it's worth, my kids are now 16 and 14, and our method was to
put their available computing devices in the living room rather than
their bedrooms until a year or so ago. This worked quite well.
-dsr-
More information about the Discuss
mailing list