Solved bind9 question

[wolffnx]

I'm new to DNS configuration in BIND. Today I'm using dnsmasq , for 300/400 users and iptables (in linux) but I want to migrate to FreeBSD, the only reason I can not is one rule in iptables to block youtube and other multimedia online services, the "string" rule

iptables -A FORWARD -s xxx.xxx.xxx.xxx/16 -m string --string "youtube" --algo bm --to 443 -j DROP
and later..
iptables -A FORWARD -m mac --mac-source xx.xx.xx.xx.xx.xx -m string --string "youtube" --algo bm --to 443 -j ACCEPT

I know that is job of DNS server, and here is my question, I want this:

-make a mac addresses list based acl
-make a custom rule pointed to that list that forward youtube.com requests to another host in my internal network with a custom deny access page
-and grant access to the rest of the network to the real youtube.com

Is that possible in bind9?

 

[SirDice]

I think you're going at it the wrong way. Set up a proxy server (Squid for example) and you can do all the filtering you want. Easy.

 

[usdmatt]

Dropping the packets with a firewall rule seems incredibly ugly. Also, does that rule actually work? I assumed 443 would be the port number (not that --to would be a sensible option name for that), although a string match will not find "youtube" in a HTTPS packet. Also --to is documented as "offset from which to start looking" although I think that should be "offset to stop looking". (Is it supposed to be matching DNS requests? and if so is the 443 unnecessary or a coincidence?)

I would split the network into VLANs and create a view in Bind for each VLAN. Then, in the views for the restricted clients, create a zone for each domain you want to block that just returns the IP address of your 'access denied' page.

 

[wolffnx]

Dropping the packets with a firewall rule seems incredibly ugly. Also, does that rule actually work? I assumed 443 would be the port number (not that --to would be a sensible option name for that), although a string match will not find "youtube" in a HTTPS packet. Also --to is documented as "offset from which to start looking" although I think that should be "offset to stop looking". (Is it supposed to be matching DNS requests? and if so is the 443 unnecessary or a coincidence?)

I would split the network into VLANs and create a view in Bind for each VLAN. Then, in the views for the restricted clients, create a zone for each domain you want to block that just returns the IP address of your 'access denied' page.

i know...is ugly and dirty, i read some time ago that "function" is not in the FreeBSD firewalls because is not work of the firewall do that,instead is the dns function manage thinks like that
thanks for the tip for bind,i read some manuals to start

edit:yes,is working like a charm,but again..is ugly and big like a double d woman

 

[wolffnx]

I think you're going at it the wrong way. Set up a proxy server (Squid for example) and you can do all the filtering you want. Easy.

do you mean filtering https traffic?, i have ready do that,but in transparent mode,only http traffic

 

[wolffnx]

Dropping the packets with a firewall rule seems incredibly ugly. Also, does that rule actually work? I assumed 443 would be the port number (not that --to would be a sensible option name for that), although a string match will not find "youtube" in a HTTPS packet. Also --to is documented as "offset from which to start looking" although I think that should be "offset to stop looking". (Is it supposed to be matching DNS requests? and if so is the 443 unnecessary or a coincidence?)

I would split the network into VLANs and create a view in Bind for each VLAN. Then, in the views for the restricted clients, create a zone for each domain you want to block that just returns the IP address of your 'access denied' page.

thanks usdmatt , with Bind9 and views i have the problem solved , is used only for block facebook and youtube (not to replace SQUID or PF of course)