Overriding some DNS entries for internal networks
Posted by jpluimers on 2022/01/27
Based on [Wayback] domain name system – Overriding some DNS entries in BIND for internal networks – Server Fault and some further reading, there seem to be two ways used in these scenarios:
- to overwrite only certain hosts or subdomains: use Response policy zone – Wikipedia which replaces some of the DNS information with information from the RPZ data.
- to override full domains: use Split-horizon DNS – Wikipedia
I wonder how that would interact best with Pi-Hole based solutions. Would it be best to have your local network use the Pi-Hole server, then have the Pi-Hole server obtain the DNS information it cannot resolve through one of the above solutions? Or would other solutions work better?
So here are a few links:
- [Wayback] domain name system – Overriding some DNS entries in BIND for internal networks – Server Fault; A lot of information in the answers to this question; important takeaway is that BIND named does support RPZ, but the support is not as fine grained as what Unbound DNS Server supports.
- [Wayback] bind – Is it possible to split a domain using dns Bind9 – Server Fault
- [Wayback] domain name system – Redirecting time.windows.com to internal server – Server Fault: poor man’s approach for a single host.
- [Wayback] Chapter 4 DNS Configuration Types (Bind)
- [Wayback] Split horizon DNS master/slave with Bind | Jensd’s I/O buffer having a full set of steps for master and slave, explaining the how and why of each step
- [Wayback] DNS Response Policy Zones (RPZ) / [Wayback] draft-vixie-dnsop-dns-rpz-00: DNS Response Policy Zones (RPZ) (Internet-Draft, 2018):
This document describes a method for expressing DNS response policy inside a specially constructed DNS zone, and for recursive name servers to use such policy to return modified results to DNS clients. The modified DNS results can stop access to selected HTTP servers, redirect users to “walled gardens”, block objectionable email, and otherwise defend against attack. These “DNS Firewalls” are widely used in fighting Internet crime and abuse.
- [Wayback] Overriding DNS for fun and profit (with bind)
- [Wayback] Chapter 7 – Response Policy Zone (Bind)
- [Wayback] configuration – Large zone file for bind9 : ad-blocking – Unix & Linux Stack Exchange
- [Wayback] HOWTO – Configure a DNS firewall with RPZ (with examples)
- [Wayback] Jan-Piet Mens :: RPZ revisited (Bind, with very clear examples no order of processing)
- [Wayback] domain name system – Alternative ways to get past 32 rpz zone limit in BIND? …without running BIND a thousand times – Server Fault (yes, as zones can be in views)
- [Wayback] Build a Privacy-respecting and Threat-blocking DNS Server
Learn how you can install your own DNS server to protect your devices from phishing, malware and ransomware
- [Wayback] SURBL: Lists are available as subscription service via RPZ using domain transfer.
- [Wayback] Glen Pitt-Pladdy :: Blog – DNS Firewall (blackhole malicious, like Pi-hole) with bind9
- [Wayback/Archive.is] glenpp/py-hole: A Pi-hole inspired DNS firewall for use with bind/named using RPZ (this converts hosts file format into RPZ format)
- [Wayback] DNSRPZ performance and scaleability when using multiple RPZ zones (Bind)
- [Wayback] debian – DNS server for blacklisting tons of domains and also some TLDs – Unix & Linux Stack Exchange (Bind)
- [Wayback] NLnet Labs – Unbound – About
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. Late 2019, Unbound has been rigorously audited, which means that the code base is more resilient than ever. To help increase online privacy, Unbound supports DNS-over-TLS …
- [Wayback] NLnet Labs – News – Unbound 1.10.0 released: rpz support and serve-stale conformance
The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes.
- [Wayback] jimh.dev: Unbound Pi-hole without scripts
- [Wayback] Energized Protection – ad.porn.malware blocking.
A merged collection of hosts from reputable sources.
- [Wayback] Energized Protection – ad.porn.malware blocking.
- The Internet is full of Ads and Trackers. Some of them are useful to monetize free content. Some are used in a non-ethical manner. Savvy users will configure Ad-Blocker on their Web browser. Others won’t. Most Appliance and IoT modules won’t allow third-party blocking addons. Here’s how to add an extra layer of privacy using … Continue reading “Blocking Ads using unbound(8) on OpenBSD”[Wayback] Blocking Ads using unbound(8) on OpenBSD – TuM’Fatig
The public blocklists used by Pi-Hole are the following:
- [Wayback] StevenBlack
- [Wayback] MalwareDom
- [Wayback] Cameleon
- [Wayback] ZeusTracker
- Disconnect.me Tracking
- Disconnect.me Ads
- [Wayback] HostsFile
I wrote a [Wayback] script that will fetch the blocklists content, parse it and create a local zone file for unbound(8). That file will contain all the blocked domains and use the redirect answer to resolve those as invalid.
- [Wayback] geoghegan.ca: unbound-adblock, The Ultimate DNS Firewall! with [Wayback] script version 0.5p4
Pi-Hole seems not interested in RPZ: [Wayback] Implement Response Zone Policies (NXDOMAIN) for end-user performance increase – Feature Requests / Implemented – Pi-hole Userspace
Pi-Hole default blacklist is mentioned in [Wayback/Archive.is] pi-hole/basic-install.sh at master · pi-hole/pi-hole (look for adlistFile which defaults to [Wayback/Archive.is] StevenBlack/hosts: 🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.).
Since I need this for ESXi: [Wayback/Archive.is] Let’s Encrypt SSL for ESXi
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply