Please note: This article is an overview, (as configuration options may vary from version to version).
It is recommended that you test this config in a lab-environment before implementing this in production.
Initial Configuration.
Using SSH, (as root,) create a file called aaa-pdns.conf in the /etc/httpd/conf.d/
Run the following commands to start/restart the services and enable them to launch on-boot.
-
service pdns-recursor start
-
chkconfig pdns-recursor on
-
service dnsdist start
-
chkconfig dnsdist on
-
service httpd restart
Next, confirm that your system's DNS servers are set correctly in /etc/resolv.conf & configure your workstation to use your policy server's IP as the primary DNS.
Additional Considerations.
Please be aware that you cannot filter based on any paths or CGI parameters. Fundamentally we act as a DNS server where we serve the correct IP for an allowed DNS A/AAAA query, and the deny page IP for a denied DNS A/AAAA query.
This means:
- no safe search enforcement (though this can be done with DNS rewriting and there are plans to make this possible)
- no search keywords
- no disable filtering
- domain level filtering only
Testing & Troubleshooting tips
1) Use nslookup to test a denied site
[root@nsp ~]# nslookup
> server localhost
Default server: localhost
Address: 127.0.0.1#53
Default server: localhost
Address: 127.0.0.1#53
> guns.com
Server: localhost
Address: 127.0.0.1#53
Non-authoritative answer:
Name: guns.com
Address: 172.20.0.109 <-- Policy Server IP
2) Use tcpdump filtered for port 53/5300 requests
[root@nsp ~]# tcpdump -ni eth0 port 53 | grep guns.com