![[Valid HTML 4.01 Strict]](/valid-html401-blue.png){kind=small}
![[hacker emblem]](/hacker.png)
![[donate]](/donate.png)
Copyright
1995-2024
John M. Simpson KG4ZOW
(email)
(PGP key)Last updated 2008-08-08 03:43:26 +0000
I have written another page describing how to configure dnscache to use a "poison server" to block certain domain names. This involves creating a file in the /service/dnscache/root/servers directory for each domain, which overrides dnscache's normal "start from the root servers" behaviour.
A user recently posted on the djbdns mailing list saying that he was going to do the same thing, but with thousands of domain names. He asked if it were possible to use a cdb file to make administering the process easier. While it is possible to use a cdb file to hold the list of "root servers" for each domain, it could slow down the process of resolving names.
I have written a perl script which allows the user to maintain a single text file. The script writes out the actual files in the root/servers directory based on the contents of root/servers.txt. An additional (optional) "Makefile" allows the user to run the script and restart dnscache with a single "make" command (instead of typing two commands.)
It may be possible to write a patch which would make dnscache read this text file (or a cdb file) directly, but I haven't had the time to look into it, and I"m not convinced it would really be much of a speed boost to start with, since on a busy nameserver the operating system would have the contents of the root/servers directory held in cache.
The dnscache program allows you to specify "replacement root servers" for certain domain names, bypassing the standard behavior of resolving every query from the root nameservers.
You would normally do this if you also run the authoritiative nameserver for the domain name in question, and want to bypass the whole "start from the root servers" routine for performance reasons. You may also have domains which are only visible "inside" your network, and need to have one dnscache server which is capable of resolving these "private" names along with "real" names from the Intenret.
You may also want to do this to "block" certain domain names from working, for example domains whose only function is to provide "banner ads" for web pages, or domains which send SPAM. (See this page for information on how to set up "blocking" for individual domain names.)
This "root override" behaviour is controlled by files in the root/servers directory under your /service/dnscache directory.
|
|
Make sure you have a working dnscache installation. You must have a working dnscache before continuing.
Save the files in the "root" directory under your dnscache service
directory (which will be /service/dnscache if you have followed djb's installation
instructions.) The mkservers script should be executable (i.e.
chmod 700 mkservers).
Adjust the script to work with your system.
You may need to adjust the beginning of the script to reflect the location of your perl executable. /usr/bin/perl and /usr/local/bin/perl are the two most common locations. You must have at least version 5.003 in order to run the script.
You may also need to adjust the script to reflect the location of your dnscache service directory, and whether or not you want the script to delete any existing "servers/*" files before writing its own files (which can be handy if you ever delete domain names from the file.) The lines to check are at the top of the file, I tried to make the script as obvious as I could.
Edit or create the servers.txt file and set up your list of blocked domains. See the Text File Format section below.
Running the script will read "servers.txt" and generate the necessary files in the "servers" directory.
The Makefile allows you to run the script using the make command (similar to building a new "data" file for tinydns.) I threw this in because I have become used to typing make after making any changes to djbdns or qmail-related files.
The file must be root/servers.txt within your dnscache
service directory. The permissions aren't currently important since the
script needs to run as root in order to restart the server, but when I write
the patch for dnscache to read the file directly, it will need to be readable
but not writable to the userid which dnscache runs as.
The format is very simple. Each line corresponds to one file in the stock
root/servers/* directory. Each line begins with the
domain name, a colon, and then a list of one or more IP addresses,
separated by colons, which should be considered "root servers" for that
domain. The real "root servers" should be listed on a line, either with no
domain name, or with "@" as the domain name.
The sample file below shows what the file should look like.
|