1 |
diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html |
2 |
--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100 |
3 |
+++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100 |
4 |
@@ -1630,6 +1630,15 @@ |
5 |
"<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>". |
6 |
</DD> |
7 |
<DT> |
8 |
+ <B>dnsbl</B> |
9 |
+ </DT> |
10 |
+ <DD> |
11 |
+ <B>!dnsbl</B> can be used to dynamically check domain names against |
12 |
+ DNS-based blacklists, such as black.uribl.com, which is the default. |
13 |
+ The DNS blacklist can be set to another domain by setting |
14 |
+ !dnsbl:your.blacklist.domain.com |
15 |
+ </DD> |
16 |
+ <DT> |
17 |
<B>any</B> |
18 |
</DT> |
19 |
<DD> |
20 |
@@ -2419,6 +2428,9 @@ |
21 |
even if they would match a blocking regex: |
22 |
<BR> |
23 |
<TT><B>+</B></TT> limiting the usage of IP-address URLs: |
24 |
+ <BR> |
25 |
+ <TT><B>+</B></TT> blocking sites known to be part of the |
26 |
+ black.uribl.com DNS blacklist. |
27 |
</P> |
28 |
|
29 |
<TT> |
30 |
@@ -2442,7 +2454,7 @@ |
31 |
|
32 |
acl { |
33 |
default { |
34 |
- pass local good !in-addr !porn all |
35 |
+ pass local good !in-addr !porn !dnsbl:black.uribl.com all |
36 |
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u |
37 |
} |
38 |
} |
39 |
diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt |
40 |
--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100 |
41 |
+++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100 |
42 |
@@ -637,6 +637,12 @@ |
43 |
"^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9 |
44 |
]\{1,3\}($|[:/])". |
45 |
|
46 |
+ dnsbl |
47 |
+ !dnsbl can be used to dynamically check domain names against |
48 |
+ DNS-based blacklists, such as black.uribl.com, which is the default. |
49 |
+ The DNS blacklist can be set to another domain by setting |
50 |
+ !dnsbl:your.blacklist.domain.com |
51 |
+ |
52 |
any |
53 |
matches any URL and is a fast equivalent to the |
54 |
expression ".*". |
55 |
@@ -1052,6 +1058,7 @@ |
56 |
+ ensuring local and good sites are passed even if they would match a |
57 |
blocking regex: |
58 |
+ limiting the usage of IP-address URLs: |
59 |
+ + blocking sites known to be part of the black.uribl.com DNS blacklist: |
60 |
logdir /usr/local/squidGuard/log |
61 |
dbhome /usr/local/squidGuard/db |
62 |
|
63 |
@@ -1071,7 +1078,7 @@ |
64 |
|
65 |
acl { |
66 |
default { |
67 |
- pass local good !in-addr !porn all |
68 |
+ pass local good !in-addr !porn !dnsbl:black.uribl.com all |
69 |
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n& |
70 |
clientuser=%i&clientgroup=%s&url=%u |
71 |
} |
72 |
diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html |
73 |
--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100 |
74 |
+++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100 |
75 |
@@ -168,6 +168,34 @@ |
76 |
</pre> |
77 |
</td></tr></table> |
78 |
<br><br> |
79 |
+ |
80 |
+<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br> |
81 |
+Several DNS based databases can be used to block domain names referrenced in |
82 |
+blacklists. First choose which database you would like to trust (some well known |
83 |
+are : http://www.uribl.com/, or http://www.surbl.org/). |
84 |
+Be aware that this will raise several DNS requests every time squidGuard |
85 |
+receives a request to filter. SquidGuard will not cache any DNS result, so make |
86 |
+sure your DNS server does, and mesure the performance impact before using on |
87 |
+production. |
88 |
+To get squidGuard to request DNS dynamically and block listed domain names, just use : |
89 |
+<br><br> |
90 |
+<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;"> |
91 |
+<tr> |
92 |
+<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font> |
93 |
+</td></tr> |
94 |
+<tr> |
95 |
+<td> |
96 |
+<pre> acl { |
97 |
+ default { |
98 |
+ pass !dnsbl:black.uribl.com all |
99 |
+ redirect http://localhost/block.html |
100 |
+ } |
101 |
+ } |
102 |
+</pre> |
103 |
+</td></tr> |
104 |
+</table> |
105 |
+<br><br> |
106 |
+ |
107 |
<li><a name=blocklog><b>Logging blocked access tries</b></a> |
108 |
<br><br> |
109 |
It may be of interest who is accessing blocked sites. To track that |
110 |
diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt |
111 |
--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100 |
112 |
+++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100 |
113 |
@@ -100,6 +100,29 @@ |
114 |
172.16.12.0/255.255.255.0 |
115 |
10.5.3.1/28 |
116 |
|
117 |
+ Using online DNS blacklists |
118 |
+ Several DNS based databases can be used to block domain names referrenced in |
119 |
+ blacklists. First choose which database you would like to trust (some well known |
120 |
+ are : http://www.uribl.com/, or http://www.surbl.org/). |
121 |
+ Be aware that this will raise several DNS requests every time squidGuard |
122 |
+ receives a request to filter. SquidGuard will not cache any DNS result, so make |
123 |
+ sure your DNS server does, and mesure the performance impact before using on |
124 |
+ production. |
125 |
+ To get squidGuard to request DNS dynamically and block listed domain names, just use : |
126 |
+acl { |
127 |
+ default { |
128 |
+ pass !dnsbl:black.uribl.com all |
129 |
+ redirect http://localhost/block.html |
130 |
+ } |
131 |
+} |
132 |
+ |
133 |
+ |
134 |
+ |
135 |
+ |
136 |
+ |
137 |
+ |
138 |
+ |
139 |
+ |
140 |
Logging blocked access tries |
141 |
It may be of interest who is accessing blocked sites. To track that |
142 |
down you can add a log directive to your src or dest definitions in |
143 |
diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in |
144 |
--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100 |
145 |
+++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100 |
146 |
@@ -68,6 +68,7 @@ |
147 |
#define ACL_TYPE_DEFAULT 1 |
148 |
#define ACL_TYPE_TERMINATOR 2 |
149 |
#define ACL_TYPE_INADDR 3 |
150 |
+#define ACL_TYPE_DNSBL 4 |
151 |
|
152 |
#define REQUEST_TYPE_REWRITE 1 |
153 |
#define REQUEST_TYPE_REDIRECT 2 |
154 |
@@ -301,6 +302,7 @@ |
155 |
|
156 |
struct AclDest { |
157 |
char *name; |
158 |
+ char *dns_suffix; |
159 |
struct Destination *dest; |
160 |
int access; |
161 |
int type; |
162 |
diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in |
163 |
--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200 |
164 |
+++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100 |
165 |
@@ -2253,6 +2274,7 @@ |
166 |
int allowed; |
167 |
#endif |
168 |
{ |
169 |
+ char *subval = NULL; |
170 |
struct Destination *dest = NULL; |
171 |
struct sgRewrite *rewrite = NULL; |
172 |
struct AclDest *acldest; |
173 |
@@ -2264,6 +2286,9 @@ |
174 |
allowed=0; |
175 |
else if(!strcmp(value,"in-addr")){ |
176 |
type = ACL_TYPE_INADDR; |
177 |
+ } else if (!strncmp(value,"dnsbl",5)) { |
178 |
+ subval = strstr(value,":"); |
179 |
+ type = ACL_TYPE_DNSBL; |
180 |
} else { |
181 |
if((dest = sgDestFindName(value)) == NULL){ |
182 |
sgLogFatalError("%s: ACL destination %s is not defined in configfile %s", |
183 |
@@ -2278,6 +2303,25 @@ |
184 |
acldest->dest = dest; |
185 |
acldest->access = allowed; |
186 |
acldest->type = type; |
187 |
+ if (type == ACL_TYPE_DNSBL) |
188 |
+ { |
189 |
+ if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use |
190 |
+ { |
191 |
+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1); |
192 |
+ strcpy(acldest->dns_suffix, ".black.uribl.com"); |
193 |
+ }else{ |
194 |
+ subval=subval+1; |
195 |
+ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") != |
196 |
+ strlen(subval) ) |
197 |
+ { |
198 |
+ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix", |
199 |
+ progname,subval); |
200 |
+ } |
201 |
+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1); |
202 |
+ strcpy(acldest->dns_suffix, "."); |
203 |
+ strcat(acldest->dns_suffix,subval); |
204 |
+ } |
205 |
+ } |
206 |
acldest->next = NULL; |
207 |
if(lastAcl->pass == NULL){ |
208 |
lastAcl->pass = acldest; |
209 |
@@ -2365,6 +2409,56 @@ |
210 |
return acl; |
211 |
} |
212 |
|
213 |
+char *strip_fqdn(char *domain) |
214 |
+{ |
215 |
+ char *result; |
216 |
+ result=strstr(domain,"."); |
217 |
+ if (result == NULL) |
218 |
+ return NULL; |
219 |
+ return (result+1); |
220 |
+} |
221 |
+ |
222 |
+int is_blacklisted(char *domain, char *suffix) |
223 |
+{ |
224 |
+ char target[MAX_BUF]; |
225 |
+ struct addrinfo *res; |
226 |
+ int result; |
227 |
+ //Copying domain to target |
228 |
+ if (strlen(domain)+strlen(suffix)+1>MAX_BUF) |
229 |
+ { |
230 |
+ //Buffer overflow risk - just return and accept |
231 |
+@NOLOG1@ |
232 |
+ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); } |
233 |
+@NOLOG2@ |
234 |
+ return(0); |
235 |
+ } |
236 |
+ strncpy(target,domain,strlen(domain)+1); |
237 |
+ strcat(target,suffix); |
238 |
+ |
239 |
+ result = getaddrinfo(target,NULL,NULL,&res); |
240 |
+ if (result == 0) //Result is defined |
241 |
+ { |
242 |
+ freeaddrinfo(res); |
243 |
+ return 1; |
244 |
+ } |
245 |
+ //If anything fails (DNS server not reachable, any problem in the resolution, |
246 |
+ //let's not block anything. |
247 |
+ return 0; |
248 |
+} |
249 |
+ |
250 |
+int blocked_by_dnsbl(char *domain, char *suffix) |
251 |
+{ |
252 |
+ char *dn=domain; |
253 |
+ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com" |
254 |
+ { |
255 |
+ if (is_blacklisted(dn,suffix)) |
256 |
+ return(1); |
257 |
+ dn=strip_fqdn(dn); |
258 |
+ } |
259 |
+ return 0; |
260 |
+} |
261 |
+ |
262 |
+ |
263 |
#if __STDC__ |
264 |
char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req) |
265 |
#else |
266 |
@@ -2397,6 +2491,16 @@ |
267 |
} |
268 |
continue; |
269 |
} |
270 |
+ // http://www.yahoo.fr/ 172.16.2.32 - GET |
271 |
+ if(aclpass->type == ACL_TYPE_DNSBL){ |
272 |
+ if (req->dot) |
273 |
+ continue; |
274 |
+ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){ |
275 |
+ access=0; |
276 |
+ break; |
277 |
+ } |
278 |
+ continue; |
279 |
+ } |
280 |
if(aclpass->dest->domainlistDb != NULL){ |
281 |
result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata); |
282 |
if(result != DB_NOTFOUND) { |