28.5. DNS Blacklist (Web filter)

The DNS Blacklist blocks the resolving of some defined domains.

28.5.1. Enable DNS Blacklist resource

To enable the DNS blacklist the DNS Relay must be enabled and the RELAY-BLACKLIST parameter must be set to yes.

[10:51:02] ABILIS_CPX:s p dns relay:yes

COMMAND EXECUTED

[10:52:17] ABILIS_CPX:s p dns relay-blacklist:yes

COMMAND EXECUTED

[10:52:33] ABILIS_CPX:d p dns

RES:Dns - Not Saved (SAVE CONF), Not Refreshed (INIT) -------------------------
Run    DESCR:Domain_Name_System
       LOG:NO           ACT:YES
       udp-locport:53   SRCADD:OUT-IP                      TOS:0-N
       wdir:C:\APP\DNS\
       - Resolver -------------------------------------------------------------
       SERVERS:AUTO
       PRIMARY:008.008.008.008   SECONDARY:008.008.004.004
       DELAY:5                   RTY:1
       CACHE:YES                 cache-size:500
       - Relay/Server ---------------------------------------------------------
       RELAY:YES                 relay-size:500            RELAY-TOUT:10
       RELAY-BLACKLIST:YES       RELAY-BLACKLIST-BYPASS:#
       SERVER:NO
       IPSRC:*                   IPSRCLIST:#  
[Caution]Caution

To activate the changes made on the upper case parameters, execute the initialization command init res:dns; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. with warm start command).

[Note]Note

Check if PCs are configured with the right DNS server. The DNS server must be only one and only the local gateway. For the PCs that have dynamically assigned IP address check the DHCP server configuration on the Abilis.

[11:42:38] ABILIS_CPX:d dhcp prof:1

Parameter:   | Value:
-------------+-----------------------------------------------------------------
PROF:          1
NAME:          
TTL:           0
KEEPALIVE:     0
NB-SCOPE-ID:   
NB-NODE-TYPE:  UNK
DOMAIN:        
GW1:           192.168.029.254
GW2:           #              
GW3:           #              
DNS1:          192.168.029.254
DNS2:          #
SMTP:          #              
POP3:          #              
NNTP:          #              
WWW:           #              
FINGER:        #              
IRC:           #              
NTP:           #              
TIME:          #              
WINS1:         #              
WINS2:         #              
TFTP:          
BOOTFILE:      
-------------------------------------------------------------------------------
[Note]Note

If someone intentionally change the DNS server to access a page that is blocked, then it needs to configure the access list to block external DNS requests. Use the following commands to add a new filters to the IP access list:

[12:01:22] ABILIS_CPX:a ipacl pr:2 type:permit descr:Allow_TO_internal_DNS sa:* da:* spo:* prot:udp dpo:53 dres:INT

COMMAND EXECUTED 

[12:01:42] ABILIS_CPX:a ipacl pr:3 type:permit descr:Allow_FROM_internal_DNS sa:* da:* spo:* prot:udp dpo:53 sres:INT

COMMAND EXECUTED 

[12:04:42] ABILIS_CPX:a ipacl pr:4 type:deny descr:Deny_DNS_globally sa:* da:* spo:* prot:udp dpo:53                 

COMMAND EXECUTED 

[15:08:29] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

Tot-IPACL-Number:5

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
...
-------------------------------------------------------------------------------
2   [Allow_TO_internal_DNS]
    PERMIT *                               udp                
    DFT    *                               *                  dns(53)
    *      *                               *                  INT
-------------------------------------------------------------------------------
3   [Allow_FROM_internal_DNS]
    PERMIT *                               udp                
    DFT    *                               *                  dns(53)
    *      *                               INT                *
-------------------------------------------------------------------------------
4   [Deny_DNS_globally]
    DENY   *                               udp                
    DFT    *                               *                  dns(53)
-------------------------------------------------------------------------------
[Note]Note

It is necessary to already be activated the IPACL. Refer to the following chapter: Section 23.1.2, “Activating IPACL”

[Note]Note

After you have banned a domain to apply immediately blocking is necessary to flush a computer's DNS cache.

28.5.2. DNS Blacklist tables

The following command shows the list of the resolved domains:

[10:55:50] ABILIS_CPX:d dns blacklist resolved

Resolved domains (9/2000):

FQDN
-------------------------------------------------------------------------------
- fhr.data.mozilla.com
- dns.msftncsi.com
- gtssl-ocsp.geotrust.com
- example.com
- www.iana.org
- antek.it
- www.aylook.com
- www.antek.it
- www.elettrorapido.com
-------------------------------------------------------------------------------

To add a domain to the list of banned domains, use the following command:

[10:56:08] ABILIS_CPX:a dns blacklist banned dn:example.com

COMMAND EXECUTED

[10:56:34] ABILIS_CPX:d dns blacklist banned

Banned domains (1/2000):

DN
-------------------------------------------------------------------------------
- example.com
-------------------------------------------------------------------------------

To remove a domain from the list of banned domains use the following command

[10:56:48] ABILIS_CPX:c dns blacklist banned dn:example.com
                                                                     
COMMAND EXECUTED

28.5.3. DNS Blacklist management through the web interface

To manage the DNS Blacklist using the web interface go on the Abilis homepage, login and click on Web filter.

Figure 28.1. DNS Blacklist web interface 1

DNS Blacklist web interface 1

There are 2 ways to put a domain in the banned domains list:

  • Select the domain from the 'Resolved domains' list and click on 'Full domain', '2nd level', '3rd level' or '4th level'.

  • Insert the domain into the textbox near to the 'Ban domain' button and click Ban domain.

Click on Submit to save and apply the changes.

Figure 28.2. DNS Blacklist web interface 2

DNS Blacklist web interface 2

To remove a domain from the Banned list, select it and click on Remove. Click on Submit to save and apply the changes.

Figure 28.3. DNS Blacklist web interface 3

DNS Blacklist web interface 3