BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] conditional forwarding with bind
- Subject: [Discuss] conditional forwarding with bind
- From: dsr at randomstring.org (Dan Ritter)
- Date: Sat, 14 Dec 2019 07:39:03 -0500
- In-reply-to: <1093a30b-7c99-9ea7-79ad-e5504e8804e0@mattgillen.net>
- References: <1093a30b-7c99-9ea7-79ad-e5504e8804e0@mattgillen.net>
Matthew Gillen wrote: > I've got bind running on my home network, and I black-hole a bunch of > stuff that is general internet hygiene. > > Looking at setting up a kid-friendly subnet, I quickly came to the > conclusion that the most bang for my buck was blocking DNS for 'bad' > sites. (I know that there's a bunch of stuff that could slip through, > but setting up and monitoring proxies feels like a lot of work; plus the > kids aren't very computer savvy yet) > > I found a few options, which seem to boil down to > a) find a list of domains to block and manually set up (by that I mean > script) dummy zone files > b) use something like https://www.opendns.com/setupguide/#familyshield > > I was going for 'b', but what I wanted was for most of my network to use > my normal forwarding, but for a particular subnet to instead use the > OpenDNS FamilyShield servers as forwarders. > Have you considered using DHCP to: - assign consistent IP addresses to particular MAC addresses - offer an alternative DNS server to your second-class citizens Then you either use the censorware DNS servers directly for those devices, or set up a small DNS forwarder that does that. > Finally figured out how to do that with views, but ultimately had to > disable DNSSEC for the view that was using the OpenDNS forwarders. Now > that I see how it works, I understand why they can't support DNSSEC (if > you go to a 'bad' url it will resolve to one of their webservers > explaining it was intentionally blocked and why; that spoofed response > is exactly what DNSSEC is supposed to prevent). > > Losing DNSSEC pains me though, so looking at potentially going with > option 'a'. Are there free/open (but maintained) lists of domains that > can be used to blacklist content? Many, many, many. "dns blacklist" and whatever specific terms you want -- adult, porn, religion, drugs, horticulture... will get you references. For what it's worth, my kids are now 16 and 14, and our method was to put their available computing devices in the living room rather than their bedrooms until a year or so ago. This worked quite well. -dsr-
- References:
- [Discuss] conditional forwarding with bind
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] conditional forwarding with bind
- Prev by Date: [Discuss] conditional forwarding with bind
- Next by Date: [Discuss] Cloud backup
- Previous by thread: [Discuss] conditional forwarding with bind
- Next by thread: [Discuss] Cloud backup
- Index(es):