You could be frequently discovering websites that your enterprise may choose to block for all users.
Various SOC service providers supply lists of websites that may be malignant or inappropriate.
You could add such sites into a category using the Custom Category feature of SafeSquid.
Creating an entry in Access Profiles to block access to such categories, would prevent users from accessing such sites.
However, if you have a large number of such websites being supplied by your SOC provider, using SafeSquid’s DNS Blacklist feature may be a better alternative.
Enabling SafeSquid’s DNS Blacklist feature, causes safesquid to query the A record of a website’s domain in the DNSBL.
For example, if a user seeks to access www.google.com, and you have configured in.dnsbl.org as your DNSBL,
SafeSquid queries for the A record of www.google.com.in.dnsbl.org, before actually connecting to www.google.com
If the A record is found to fall within the configured range, access to www.google.com would be blocked.
Managing DNSBL, or checking if a website is being blocked does not require access to SafeSquid’s UI or credentials to the self-service portal at key.safesquid.com
Also, if you have other applications that can benefit from DNS based blocking, the return on your efforts simply multiplies.
To setup your DNSBL on a standard bind9 implementation follow the following steps.
First you would choose a domain name for your DNSBL.
This domain name need not be an officially purchased or registered, just any name is fine.
For this example, we are choosing in.dnsbl.org
Create a zone definition.
You may set this definition in /etc/bind/named.conf.local because it is usually included already in /etc/bind/named.conf
or if you prefer to create a new file, make sure to include it in
- /etc/bind/named.conf
- zone "in.dnsbl.org" {
- type master;
- file "/etc/bind/db.in.dnsbl.org";
- allow-transfer { any; };
- allow-query { any; };
- };
Now populate zone data file /etc/bind/db.in.dnsbl.org as follows
- ;
- ; BIND data file for TLD ".in.dnsbl.org"
- ;
- $TTL 604800
- @ IN SOA in.dnsbl.org. root.in.dnsbl.org. (
- 2 ; Serial
- 3600 ; Refresh
- 86400 ; Retry
- 3600 ; Expire
- 3600 ) ; Negative Cache TTL
- @ IN NS ns1.in.dnsbl.org.
- @ IN NS ns2.in.dnsbl.org.
- @ IN A <ip-address-of-your-dnsbl-server>
- ns1 IN A <ip-address-of-your-dnsbl-server>
- ns2 IN A <ip-address-of-your-dnsbl-server>
- blocked IN A 127.0.0.4
- allowed IN A 127.0.0.100
- * IN CNAME allowed
- *.com IN CNAME allowed
- example.com IN CNAME blocked
- example.net IN CNAME blocked
- blocktest1 IN CNAME blocked
- testblock.com IN CNAME blocked
Note: We have added example.com, example.net, blocktest1, testblock.com as just reference examples
Once populated as desired just reload the bind9 service:
now check if things are working as desired:
- host -t A example.com.in.dnsbl.org
The result should appear as:
- rediff.com.in.dnsbl.org 1 is an alias for blocked.in.dnsbl.org.
- blocked.in.dnsbl.org has address 127.0.0.4
and
- host -t A test.com.in.dnsbl.org
The result should appear as:
- test.com.in.dnsbl.org is an alias for allowed.in.dnsbl.org.
- allowed.in.dnsbl.org has address 127.0.0.100
Configure SafeSquid as described in https://docs.safesquid.com/wiki/DNS_blacklist
Note: Standard SafeSquid installations normally co-host a bind9 implementation
So, if you prefer you can extend its capabilities, rather than setup a dedicated DNSBL
If you have a cluster of SafeSquid instances, it is recommended to either setup the above in a “master instance”, or create a dedicated DNSBL service.
You can then easily serve all SafeSquid instances by adding just the following to the bind9 configuration /etc/bind/named.conf.local
- zone in.dnsbl.org {
- type stub;
- masters { <ip-address-of-your-dnsbl-server> ;};
- };