Setting Up a Blackhole DNS Server on Ubuntu Server

I was recently tasked with setting up a blackhole (or sinkhole) DNS server on the network at the office. I was refered to an article that walked through setting one up using FreeBSD.

If you’re not familiar with blackhole/sinkhole DNS servers, basically what they do is when a DNS lookup is performed, the blackhole DNS server consults a list of known malicious domains, if the requested the domain is in the list, then any traffic to that domain is redirected. It provides a bit of extra security in that

Things seemed to go pretty smoothly, until I started the Bind service, at which point I started getting several errors. I couldn’t quite figure out why I was getting them, so I posted a question about it over in the FreeBSD forums.

While I was waiting for a response, I thought I would spin-up an Ubuntu Server VM in VirtualBox on my laptop and see if I could get it working that way. Turns out that I could, and I actually had it working before I got a response in the FreeBSD forums. (The problem, by the way, turns out to be that Bind is chroot in FreeBSD, which was causing problems with the configurations for the blackhole. I haven’t gone back to try to figure out how to get it working on FreeBSD, since I already had it done in Ubuntu Server.)

So here’s how to get Bind set-up and running using Ubuntu Server.

Install Ubuntu Server, making sure to select DNS, LAMP and OpenSSH installations

Refer to www.pintumbler.com/Code/dnsbl for the rest of the set-up.

NOTE: Turning on Bind Logging

Since named(bind) isn’t, by default, allowed to write to the newly created log directory, we need to tell apparmor that it is allowed to.

Edit /etc/apparmor.d/local/usr.sbin.named and add the following line:

/var/log/bind/bind.log rw,

Save and close the file

Run:

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.named

Restart the bind service:

sudo service bind9 restart

If you want to check the logs try something like:

sudo tail -20 /var/log/bind/bind.log

 

Leave a Reply

Your email address will not be published. Required fields are marked *