From Newsgroup: comp.protocols.dns.bind

--0000000000005adbc005a557965c
Content-Type: text/plain; charset="UTF-8"

Hi Folks,

I am seeking solution for our below problem and wanted to know if any open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route
their queries to internal DNS servers. Well, when they are on VPN
definitely queries are then passed through internal DNS server but they
left open when not connected to VPN.

Is there any solution using -

- API by which we can route the queries for user who are on Internet
- Or any client utility which can be installed on user's desktop/laptop
where we can embed our BIND RPZ server and then route the queries to
internal one using NAT?
- Or any other alternative community can suggest?


This is just like Cisco Umbrella or any other Paid DNS firewall solutions
but seeking if we can have any open source option?

Thanks & Regards
Blason R

--0000000000005adbc005a557965c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Folks,</div><div><br></div><div>I am seeking solut= ion for our below problem and wanted to know if any open source option can = help us here?<br></div><div>We have our internal DNS RPZ firewall built on = BIND9. Due to the current situation since all users are working from home w=
e are not able to route their queries to internal DNS servers. Well, when t= hey are on VPN definitely queries are then passed through internal DNS serv=
er but they left open when not connected to VPN.</div><div><br></div><div>I=
s there any solution using -</div><ul><li>API by which we can route the que= ries for user who are on Internet</li><li>Or any client utility which can b=
e installed on user&#39;s desktop/laptop where we can embed our BIND RPZ se= rver and then route the queries to internal one using NAT?</li><li>Or any o= ther alternative community can suggest?</li></ul><div><br></div><div>This i=
s just like Cisco Umbrella or any other Paid DNS firewall solutions but see= king if we can have any open source option?</div><div><br></div><div>Thanks=
&amp; Regards</div><div>Blason R<br></div></div>

--0000000000005adbc005a557965c--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind


--Apple-Mail=_2CA4835F-8401-4A90-91E8-BBBDA4CA96F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8

Hi Blason,

There are open source clients for iOS (DNSCloak) and Android (Intra) =
which use DoH (you will need to install a DoH proxy) but I=E2=80=99m not = aware about free clients for Mac/Windows/Linux (may be because they have = embedded clients which can be configured to use any 3rd party DNS :).=20
The main issue that bind does=E2=80=99t provide an authentication =
method. So in any case you somehow should manage the access to the DNS =
server vice versa it will became open resolver and will be used for DDoS = attacks.

I would recommend you a few options here:
- Use a trial for any =E2=80=9Cpaid=E2=80=9D solutions. E.g. Infoblox =
offers 90 days free trial - i may be enough to pass the WFH stage;
- Require VPN back to your HQ and provision to automatically establish =
them;
- Install bind on these laptops and push RPZ feeds directly to them =
(zone transfer can be authenticated by using TSIG Keys). You may see =
issues if the feeds size >1m rules.
- Provide your employees VMs (if they have servers a home) or even =
Raspberry Pi to protect the whole home network (actually it is =
important). On my ioc2rpz community (https://ioc2rpz.net = <https://ioc2rpz.net/>) you can take a look on RpiDNS installation =
script. It installs ICS Bind and provision my community RPZ feeds (you =
may replace it by your feeds), OpenResty for admin interface and a =
walled garden page + provision RSyslog. On Raspberry Pi Zero the =
installation takes about 10 minutes (demo video - = https://www.youtube.com/watch?time_continue=3D2&v=3D942yKOGAwbU&feature=3D= emb_logo = <https://www.youtube.com/watch?time_continue=3D2&v=3D942yKOGAwbU&feature=3D= emb_logo>).


BR,
Vadim

On May 10, 2020, at 21:14, Blason R <blason16@gmail.com> wrote:
=20
Hi Folks,
=20
I am seeking solution for our below problem and wanted to know if any =

open source option can help us here?

We have our internal DNS RPZ firewall built on BIND9. Due to the =

current situation since all users are working from home we are not able =
to route their queries to internal DNS servers. Well, when they are on =
VPN definitely queries are then passed through internal DNS server but =
they left open when not connected to VPN.

=20
Is there any solution using -
API by which we can route the queries for user who are on Internet
Or any client utility which can be installed on user's desktop/laptop =

where we can embed our BIND RPZ server and then route the queries to =
internal one using NAT?

Or any other alternative community can suggest?
=20
This is just like Cisco Umbrella or any other Paid DNS firewall =

solutions but seeking if we can have any open source option?

=20
Thanks & Regards
Blason R
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to =

unsubscribe from this list

=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--Apple-Mail=_2CA4835F-8401-4A90-91E8-BBBDA4CA96F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">Hi = Blason,<br class=3D""><div><br class=3D""></div><div>There are open =
source clients for iOS (DNSCloak) and Android (Intra) which use DoH (you =
will need to install a DoH proxy) but I=E2=80=99m not aware about free = clients for Mac/Windows/Linux (may be because they have embedded clients = which can be configured to use any 3rd party DNS :).&nbsp;</div><div>The =
main issue that bind does=E2=80=99t provide an authentication method. So =
in any case you somehow should manage the access to the DNS server vice =
versa it will became open resolver and will be used for DDoS = attacks.</div><div><br class=3D""></div><div>I would recommend you a few = options here:</div><div>- Use a trial for any =E2=80=9Cpaid=E2=80=9D = solutions. E.g. Infoblox offers 90 days free trial - i may be enough to =
pass the WFH stage;</div><div>- Require VPN back to your HQ and =
provision to automatically establish them;</div><div>- Install bind on =
these laptops and push RPZ feeds directly to them (zone transfer can be = authenticated by using TSIG Keys). You may see issues if the feeds size = &nbsp;&gt;1m rules.</div><div>- Provide your employees VMs (if they have = servers a home) or even Raspberry Pi to protect the whole home network = (actually it is important). On my ioc2rpz community (<a = href=3D"https://ioc2rpz.net" class=3D"">https://ioc2rpz.net</a>) you can =
take a look on RpiDNS installation script. It installs ICS Bind and =
provision my community RPZ feeds (you may replace it by your feeds), = OpenResty for admin interface and a walled garden page + provision =
RSyslog. On Raspberry Pi Zero the installation takes about 10 minutes =
(demo video -&nbsp;<a = href=3D"https://www.youtube.com/watch?time_continue=3D2&amp;v=3D942yKOGAwb= U&amp;feature=3Demb_logo" = class=3D"">https://www.youtube.com/watch?time_continue=3D2&amp;v=3D942yKOG= AwbU&amp;feature=3Demb_logo</a>).</div><div><br class=3D""></div><div><br = class=3D""></div><div>BR,</div><div>Vadim<br class=3D""><blockquote = type=3D"cite" class=3D""><div class=3D"">On May 10, 2020, at 21:14, =
Blason R &lt;<a href=3D"mailto:blason16@gmail.com" = class=3D"">blason16@gmail.com</a>&gt; wrote:</div><br = class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" = class=3D""><div class=3D"">Hi Folks,</div><div class=3D""><br = class=3D""></div><div class=3D"">I am seeking solution for our below =
problem and wanted to know if any open source option can help us =
here?<br class=3D""></div><div class=3D"">We have our internal DNS RPZ = firewall built on BIND9. Due to the current situation since all users =
are working from home we are not able to route their queries to internal =
DNS servers. Well, when they are on VPN definitely queries are then =
passed through internal DNS server but they left open when not connected =
to VPN.</div><div class=3D""><br class=3D""></div><div class=3D"">Is =
there any solution using -</div><ul class=3D""><li class=3D"">API by =
which we can route the queries for user who are on Internet</li><li = class=3D"">Or any client utility which can be installed on user's = desktop/laptop where we can embed our BIND RPZ server and then route the = queries to internal one using NAT?</li><li class=3D"">Or any other = alternative community can suggest?</li></ul><div class=3D""><br = class=3D""></div><div class=3D"">This is just like Cisco Umbrella or any = other Paid DNS firewall solutions but seeking if we can have any open =
source option?</div><div class=3D""><br class=3D""></div><div = class=3D"">Thanks &amp; Regards</div><div class=3D"">Blason R<br = class=3D""></div></div>
_______________________________________________<br class=3D"">Please =
visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users</a> to = unsubscribe from this list<br class=3D""><br class=3D"">bind-users =
mailing list<br class=3D""><a href=3D"mailto:bind-users@lists.isc.org" = class=3D"">bind-users@lists.isc.org</a><br = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users<br = class=3D""></div></blockquote></div><br class=3D""></body></html>=

--Apple-Mail=_2CA4835F-8401-4A90-91E8-BBBDA4CA96F8--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind



On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does’t provide an authentication method. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query


Daniel
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

Good idea. It may work. I’m using Intra for 1.5 years (with my DNS) and actually didn’t try it likely my DoH “old” proxy probably doesn’t support it.
With nginx it should be possible if these open source clients support it.
For Win/Mac/Linux there should be some open source DoH clients (backup will be using it just in browsers).
Vadim

On May 10, 2020, at 23:26, Daniel Stirnimann <daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does’t provide an authentication method. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query

Daniel

--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--0000000000004abce705a559aad9
Content-Type: text/plain; charset="UTF-8"

I can do that - But


1. How can I control unauthorized use?
2. Since one its populated over Internet it can be used by any one right?
3. Plus from user end they can change the DNS to avoid protection.


On Mon, May 11, 2020 at 11:01 AM Reindl Harald <h.reindl@thelounge.net>
wrote:

Am 11.05.20 um 06:14 schrieb Blason R:

I am seeking solution for our below problem and wanted to know if any
open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.

Is there any solution using -

* API by which we can route the queries for user who are on Internet
* Or any client utility which can be installed on user's
desktop/laptop where we can embed our BIND RPZ server and then route
the queries to internal one using NAT?
* Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done

--0000000000004abce705a559aad9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>I can do that - But</div><div><br></div><ol><li>How c=
an I control unauthorized use?</li><li>Since one its populated over Interne=
t it can be used by any one right?</li><li>Plus from user end they can chan=
ge the DNS to avoid protection.</li></ol></div><br><div class=3D"gmail_quot= e"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11, 2020 at 11:01 AM R= eindl Harald &lt;<a href=3D"mailto:h.reindl@thelounge.net">h.reindl@theloun= ge.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m= argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left= :1ex"><br>

Am 11.05.20 um 06:14 schrieb Blason R:<br>
&gt; I am seeking solution for our below problem and wanted to know if any<=

&gt; open source option can help us here?<br>
&gt; We have our internal DNS RPZ firewall built on BIND9. Due to the curre= nt<br>
&gt; situation since all users are working from home we are not able to rou= te<br>
&gt; their queries to internal DNS servers. Well, when they are on VPN<br>
&gt; definitely queries are then passed through internal DNS server but the= y<br>
&gt; left open when not connected to VPN.<br>
&gt; <br>
&gt; Is there any solution using -<br>
&gt; <br>
&gt;=C2=A0 =C2=A0* API by which we can route the queries for user who are o=
n Internet<br>
&gt;=C2=A0 =C2=A0* Or any client utility which can be installed on user&#39= ;s<br>
&gt;=C2=A0 =C2=A0 =C2=A0desktop/laptop where we can embed our BIND RPZ serv=
er and then route<br>
&gt;=C2=A0 =C2=A0 =C2=A0the queries to internal one using NAT?<br>
&gt;=C2=A0 =C2=A0* Or any other alternative community can suggest?<br>

when you are in the position to use something like this you can also<br>
tell your users they have to configure their machines for using a public<br=

dns you are hosting and you are done<br>
</blockquote></div>

--0000000000004abce705a559aad9--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--00000000000077240305a559bdee
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication metho=

d. So in

any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query

Daniel

--00000000000077240305a559bdee
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hmm- Any docs on configuring DOH Proxy? <br></div><br><div=
class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11=
, 2020 at 11:56 AM Daniel Stirnimann &lt;<a href=3D"mailto:daniel.stirniman= n@switch.ch">daniel.stirnimann@switch.ch</a>&gt; wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s= olid rgb(204,204,204);padding-left:1ex"><br>

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br>
&gt; The main issue that bind does=E2=80=99t provide an authentication meth= od. So in<br>
&gt; any case you somehow should manage the access to the DNS server vice<b=

&gt; versa it will became open resolver and will be used for DDoS attacks.<=


If you were to use DoH, you could use Basic Authentication. The DoH URL<br>
you could configure on your client systems could be something like this:<br=


<a href=3D"https://username:password@doh.example.com/dns-query" rel=3D"nore= ferrer" target=3D"_blank">https://username:password@doh.example.com/dns-que= ry</a><br>


Daniel<br>
</blockquote></div>

--00000000000077240305a559bdee--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--00000000000094f40b05a559ca0a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thats a nice starting point -

https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/

But still looking for any client utility so that users can not shutdown or
can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <blason16@gmail.com> wrote:

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication meth= od. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@doh.example.com/dns-query


Daniel

--00000000000094f40b05a559ca0a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thats a nice starting point -</div><div><br></div><di=


<a href=3D"https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/">http= s://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/</a> <br></div><div><= br></div><div>But still looking for any client utility so that users can no=
t shutdown or can not suspend the service<br></div></div><br><div class=3D"= gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11, 2020 at = 12:18 PM Blason R &lt;<a href=3D"mailto:blason16@gmail.com">blason16@gmail.= com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"marg= in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e= x"><div dir=3D"ltr">Hmm- Any docs on configuring DOH Proxy? <br></div><br><= div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May=
11, 2020 at 11:56 AM Daniel Stirnimann &lt;<a href=3D"mailto:daniel.stirni= mann@switch.ch" target=3D"_blank">daniel.stirnimann@switch.ch</a>&gt; wrote= :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.= 8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br>
&gt; The main issue that bind does=E2=80=99t provide an authentication meth= od. So in<br>
&gt; any case you somehow should manage the access to the DNS server vice<b=

&gt; versa it will became open resolver and will be used for DDoS attacks.<=


If you were to use DoH, you could use Basic Authentication. The DoH URL<br>
you could configure on your client systems could be something like this:<br=


<a href=3D"https://username:password@doh.example.com/dns-query" rel=3D"nore= ferrer" target=3D"_blank">https://username:password@doh.example.com/dns-que= ry</a><br>


Daniel<br>
</blockquote></div>
</blockquote></div>

--00000000000094f40b05a559ca0a--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind


--Apple-Mail=_87112C16-7626-4C52-8E75-DAE8EABBB5E9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8

If your users has admins permissions you probably will not find any open = source tool which support that. For restricted accounts on Win - create = policies.

BR,
Vadim

On May 10, 2020, at 23:52, Blason R <blason16@gmail.com> wrote:
=20
Thats a nice starting point -
=20
https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ =

<https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/>=20

=20
But still looking for any client utility so that users can not =

shutdown or can not suspend the service

=20
On Mon, May 11, 2020 at 12:18 PM Blason R <blason16@gmail.com =

<mailto:blason16@gmail.com>> wrote:

Hmm- Any docs on configuring DOH Proxy?=20
=20
On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann =

<daniel.stirnimann@switch.ch <mailto:daniel.stirnimann@switch.ch>> =
wrote:

=20
=20
On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication =

method. So in

any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS =

attacks.

=20
If you were to use DoH, you could use Basic Authentication. The DoH =

URL

you could configure on your client systems could be something like =

this:

=20
https://username:password@doh.example.com/dns-query =

<https://username:password@doh.example.com/dns-query>

=20
=20
Daniel

--Apple-Mail=_87112C16-7626-4C52-8E75-DAE8EABBB5E9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div = class=3D"">If your users has admins permissions you probably will not =
find any open source tool which support that. For restricted accounts on =
Win - create policies.</div><br class=3D""><div>BR,</div><div>Vadim<br = class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On May =
10, 2020, at 23:52, Blason R &lt;<a href=3D"mailto:blason16@gmail.com" = class=3D"">blason16@gmail.com</a>&gt; wrote:</div><br = class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" = class=3D""><div class=3D"">Thats a nice starting point -</div><div = class=3D""><br class=3D""></div><div class=3D"">

<a href=3D"https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/" = class=3D"">https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/</a> =
<br class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D"">But still looking for any client utility so that users can =
not shutdown or can not suspend the service<br class=3D""></div></div><br = class=3D""><div class=3D"gmail_quote"><div dir=3D"ltr" = class=3D"gmail_attr">On Mon, May 11, 2020 at 12:18 PM Blason R &lt;<a = href=3D"mailto:blason16@gmail.com" class=3D"">blason16@gmail.com</a>&gt; = wrote:<br class=3D""></div><blockquote class=3D"gmail_quote" = style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid = rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr" class=3D"">Hmm- Any =
docs on configuring DOH Proxy? <br class=3D""></div><br class=3D""><div = class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May =
11, 2020 at 11:56 AM Daniel Stirnimann &lt;<a = href=3D"mailto:daniel.stirnimann@switch.ch" target=3D"_blank" = class=3D"">daniel.stirnimann@switch.ch</a>&gt; wrote:<br = class=3D""></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex"><br class=3D"">
<br class=3D"">
On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br class=3D"">
&gt; The main issue that bind does=E2=80=99t provide an authentication = method. So in<br class=3D"">
&gt; any case you somehow should manage the access to the DNS server =
vice<br class=3D"">
&gt; versa it will became open resolver and will be used for DDoS =
attacks.<br class=3D"">
<br class=3D"">
If you were to use DoH, you could use Basic Authentication. The DoH =
URL<br class=3D"">
you could configure on your client systems could be something like =
this:<br class=3D"">
<br class=3D"">
<a href=3D"https://username:password@doh.example.com/dns-query" = rel=3D"noreferrer" target=3D"_blank" = class=3D"">https://username:password@doh.example.com/dns-query</a><br = class=3D"">
<br class=3D"">
<br class=3D"">
Daniel<br class=3D"">
</blockquote></div>
</blockquote></div>
</div></blockquote></div><br class=3D""></body></html>=

--Apple-Mail=_87112C16-7626-4C52-8E75-DAE8EABBB5E9--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--000000000000fd50d905a55a079b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Nah those are regular users - And thinking to work on DoT Proxy and force
that through GPO for browsers.

On Mon, May 11, 2020 at 12:27 PM Vadim Pavlov <pvm_job@mail.ru> wrote:

If your users has admins permissions you probably will not find any open source tool which support that. For restricted accounts on Win - create policies.

BR,
Vadim

On May 10, 2020, at 23:52, Blason R <blason16@gmail.com> wrote:

Thats a nice starting point -

https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/

But still looking for any client utility so that users can not shutdown o=

r

can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <blason16@gmail.com> wrote:

Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <
daniel.stirnimann@switch.ch> wrote:

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:

The main issue that bind does=E2=80=99t provide an authentication met= hod. So in
any case you somehow should manage the access to the DNS server vice
versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this=

:

https://username:password@doh.example.com/dns-query


Daniel

--000000000000fd50d905a55a079b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Nah those are regular users - And thinking to work on DoT = Proxy and force that through GPO for browsers.<br></div><br><div class=3D"g= mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May 11, 2020 at 1= 2:27 PM Vadim Pavlov &lt;<a href=3D"mailto:pvm_job@mail.ru">pvm_job@mail.ru= </a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:= 0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">= <div style=3D"overflow-wrap: break-word;"><div>If your users has admins per= missions you probably will not find any open source tool which support that=
. For restricted accounts on Win - create policies.</div><br><div>BR,</div>= <div>Vadim<br><blockquote type=3D"cite"><div>On May 10, 2020, at 23:52, Bla= son R &lt;<a href=3D"mailto:blason16@gmail.com" target=3D"_blank">blason16@= gmail.com</a>&gt; wrote:</div><br><div><div dir=3D"ltr"><div>Thats a nice s= tarting point -</div><div><br></div><div>

<a href=3D"https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/" targ= et=3D"_blank">https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/</a=

<br></div><div><br></div><div>But still looking for any client utility so=

that users can not shutdown or can not suspend the service<br></div></div>= <br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon=
, May 11, 2020 at 12:18 PM Blason R &lt;<a href=3D"mailto:blason16@gmail.co=
m" target=3D"_blank">blason16@gmail.com</a>&gt; wrote:<br></div><blockquote=
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so= lid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hmm- Any docs on co= nfiguring DOH Proxy? <br></div><br><div class=3D"gmail_quote"><div dir=3D"l= tr" class=3D"gmail_attr">On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann=
&lt;<a href=3D"mailto:daniel.stirnimann@switch.ch" target=3D"_blank">danie= l.stirnimann@switch.ch</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q= uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2= 04);padding-left:1ex"><br>

On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:<br>
&gt; The main issue that bind does=E2=80=99t provide an authentication meth= od. So in<br>
&gt; any case you somehow should manage the access to the DNS server vice<b=

&gt; versa it will became open resolver and will be used for DDoS attacks.<=


If you were to use DoH, you could use Basic Authentication. The DoH URL<br>
you could configure on your client systems could be something like this:<br=


<a href=3D"https://username:password@doh.example.com/dns-query" rel=3D"nore= ferrer" target=3D"_blank">https://username:password@doh.example.com/dns-que= ry</a><br>


Daniel<br>
</blockquote></div>
</blockquote></div>
</div></blockquote></div><br></div></blockquote></div>

--000000000000fd50d905a55a079b--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind



Am 11.05.20 um 06:14 schrieb Blason R:

I am seeking solution for our below problem and wanted to know if any
open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN
definitely queries are then passed through internal DNS server but they
left open when not connected to VPN.

Is there any solution using -

* API by which we can route the queries for user who are on Internet
* Or any client utility which can be installed on user's
desktop/laptop where we can embed our BIND RPZ server and then route
the queries to internal one using NAT?
* Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ck1z4hTQ1VD1nLR8WrwRjZVBGoA0iFVVe
Content-Type: multipart/mixed; boundary="bgZmrYUe7wMBGUhxtBc7DsZJT7Dc7o2Eb"

--bgZmrYUe7wMBGUhxtBc7DsZJT7Dc7o2Eb
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi,

AFAIK BIND is supported also on Windows. Would it be possible just to
install BIND service on local machine and configure it to download DLZ
zone from your servers. It could authenticate using ddns keys. And
forward would be also straightforward. As a bonus, they would get local validating resolver.

I think that would be quite satisfying for their security, but would
prevent you from watching them too close. I think that would be an
advantage in sort, especially when they are in "private" mode.

Of course some scripts to configure the installation would be required,
because ordinary user does not want to configure BIND. Some smart
installer might be enough.

Regards,
Petr

On 5/11/20 6:14 AM, Blason R wrote:

Hi Folks,
=20
I am seeking solution for our below problem and wanted to know if any ope=

n

source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN
definitely queries are then passed through internal DNS server but they
left open when not connected to VPN.
=20
Is there any solution using -
=20
- API by which we can route the queries for user who are on Internet
- Or any client utility which can be installed on user's desktop/lapto=

p

where we can embed our BIND RPZ server and then route the queries to
internal one using NAT?
- Or any other alternative community can suggest?
=20
=20
This is just like Cisco Umbrella or any other Paid DNS firewall solutions
but seeking if we can have any open source option?
=20
Thanks & Regards
Blason R
=20
=20
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc=

ribe from this list

=20
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
=20

--=20
Petr Men=C5=A1=C3=ADk
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


--bgZmrYUe7wMBGUhxtBc7DsZJT7Dc7o2Eb--

--ck1z4hTQ1VD1nLR8WrwRjZVBGoA0iFVVe
Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEyAnuyr53ULACiVxR6NqkjADITJMFAl65hWsACgkQ6NqkjADI TJOobQf/VOd6DqVktKtx4AjvCXeQ8klwPd2fBeE5GiD9G03wZq/9gcrkVjTVVNre fnCFEvI3kXjVTKRneweNllGEHoOjdWXkJySL9LRP2t8WCuCo3KhEqojDXIslpRxs t6dSCy5bixD+uFANqJBkIqi17ti6yD55VtjyNNpGbhNLP86R5FlVdBpgSAW4Yi59 W6D/ZeE+r6jAxW5o99pjbK5VQtCUWU3ReY2tWo597u8iuXGKQvBuy2Lrc9qixz7D 5stAH9k4CXAg//7WaltgJLYOJd5PCnJwmO+3Xx06rXE9q/UsQFVky2hsdviqypDi /wyjfMbLfmJ3wtD3NB9lN6HJ7404WA==
=xc45
-----END PGP SIGNATURE-----

--ck1z4hTQ1VD1nLR8WrwRjZVBGoA0iFVVe--

--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--0000000000008146b905a562d0ad
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hmmm nice suggestion and appreciate that.

But it would too much for normal user looking for more simpler manner. Any
way if no option then will have to live with vpn option for now.

On Mon, 11 May 2020, 22:34 Petr Men=C5=A1=C3=ADk, <pemensik@redhat.com> wro= te:

Hi,

AFAIK BIND is supported also on Windows. Would it be possible just to
install BIND service on local machine and configure it to download DLZ
zone from your servers. It could authenticate using ddns keys. And
forward would be also straightforward. As a bonus, they would get local validating resolver.

I think that would be quite satisfying for their security, but would
prevent you from watching them too close. I think that would be an
advantage in sort, especially when they are in "private" mode.

Of course some scripts to configure the installation would be required, because ordinary user does not want to configure BIND. Some smart
installer might be enough.

Regards,
Petr

On 5/11/20 6:14 AM, Blason R wrote:

Hi Folks,

I am seeking solution for our below problem and wanted to know if any

open

source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the curren=

t

situation since all users are working from home we are not able to rout=

e

their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.

Is there any solution using -

- API by which we can route the queries for user who are on Internet
- Or any client utility which can be installed on user's

desktop/laptop

where we can embed our BIND RPZ server and then route the queries to
internal one using NAT?
- Or any other alternative community can suggest?

This is just like Cisco Umbrella or any other Paid DNS firewall solutio=

ns

but seeking if we can have any open source option?

Thanks & Regards
Blason R

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to

unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Petr Men=C5=A1=C3=ADk
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--0000000000008146b905a562d0ad
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Hmmm nice suggestion and appreciate that.<div dir=3D"auto= "><br></div><div dir=3D"auto">But it would too much for normal user looking=
for more simpler manner. Any way if no option then will have to live with = vpn option for now.</div></div><br><div class=3D"gmail_quote"><div dir=3D"l= tr" class=3D"gmail_attr">On Mon, 11 May 2020, 22:34 Petr Men=C5=A1=C3=ADk, = &lt;<a href=3D"mailto:pemensik@redhat.com">pemensik@redhat.com</a>&gt; wrot= e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo= rder-left:1px #ccc solid;padding-left:1ex">Hi,<br>

AFAIK BIND is supported also on Windows. Would it be possible just to<br> install BIND service on local machine and configure it to download DLZ<br>
zone from your servers. It could authenticate using ddns keys. And<br>
forward would be also straightforward. As a bonus, they would get local<br> validating resolver.<br>

I think that would be quite satisfying for their security, but would<br> prevent you from watching them too close. I think that would be an<br> advantage in sort, especially when they are in &quot;private&quot; mode.<br=


Of course some scripts to configure the installation would be required,<br> because ordinary user does not want to configure BIND. Some smart<br>
installer might be enough.<br>

Regards,<br>
Petr<br>

On 5/11/20 6:14 AM, Blason R wrote:<br>
&gt; Hi Folks,<br>
&gt; <br>
&gt; I am seeking solution for our below problem and wanted to know if any = open<br>
&gt; source option can help us here?<br>
&gt; We have our internal DNS RPZ firewall built on BIND9. Due to the curre= nt<br>
&gt; situation since all users are working from home we are not able to rou= te<br>
&gt; their queries to internal DNS servers. Well, when they are on VPN<br>
&gt; definitely queries are then passed through internal DNS server but the= y<br>
&gt; left open when not connected to VPN.<br>
&gt; <br>
&gt; Is there any solution using -<br>
&gt; <br>
&gt;=C2=A0 =C2=A0 - API by which we can route the queries for user who are =
on Internet<br>
&gt;=C2=A0 =C2=A0 - Or any client utility which can be installed on user&#3= 9;s desktop/laptop<br>
&gt;=C2=A0 =C2=A0 where we can embed our BIND RPZ server and then route the=
queries to<br>
&gt;=C2=A0 =C2=A0 internal one using NAT?<br>
&gt;=C2=A0 =C2=A0 - Or any other alternative community can suggest?<br>
&gt; <br>
&gt; <br>
&gt; This is just like Cisco Umbrella or any other Paid DNS firewall soluti= ons<br>
&gt; but seeking if we can have any open source option?<br>
&gt; <br>
&gt; Thanks &amp; Regards<br>
&gt; Blason R<br>
&gt; <br>
&gt; <br>
&gt; _______________________________________________<br>
&gt; Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-us= ers" rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.isc.org/= mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
&gt; <br>
&gt; bind-users mailing list<br>
&gt; <a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank" rel=3D"n= oreferrer">bind-users@lists.isc.org</a><br>
&gt; <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"n= oreferrer noreferrer" target=3D"_blank">https://lists.isc.org/mailman/listi= nfo/bind-users</a><br>
&gt; <br>

-- <br>
Petr Men=C5=A1=C3=ADk<br>
Software Engineer<br>
Red Hat, <a href=3D"http://www.redhat.com/" rel=3D"noreferrer noreferrer" t= arget=3D"_blank">http://www.redhat.com/</a><br>
email: <a href=3D"mailto:pemensik@redhat.com" target=3D"_blank" rel=3D"nore= ferrer">pemensik@redhat.com</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>

_______________________________________________<br>
Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.isc.org/mailm= an/listinfo/bind-users</a> to unsubscribe from this list<br>

bind-users mailing list<br>
<a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank" rel=3D"norefe= rrer">bind-users@lists.isc.org</a><br>
<a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"norefe= rrer noreferrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo/b= ind-users</a><br>
</blockquote></div>

--0000000000008146b905a562d0ad--
--- Synchronet 3.18a-Linux NewsLink 1.113