diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100
@@ -1630,6 +1630,15 @@
"^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])".
+ dnsbl
+
+
+ !dnsbl can be used to dynamically check domain names against
+ DNS-based blacklists, such as black.uribl.com, which is the default.
+ The DNS blacklist can be set to another domain by setting
+ !dnsbl:your.blacklist.domain.com
+
+
any
@@ -2419,6 +2428,9 @@
even if they would match a blocking regex:
+ limiting the usage of IP-address URLs:
+
+ + blocking sites known to be part of the
+ black.uribl.com DNS blacklist.
@@ -2442,7 +2454,7 @@
acl {
default {
- pass local good !in-addr !porn all
+ pass local good !in-addr !porn !dnsbl:black.uribl.com all
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
}
}
diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100
@@ -637,6 +637,12 @@
"^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
]\{1,3\}($|[:/])".
+ dnsbl
+ !dnsbl can be used to dynamically check domain names against
+ DNS-based blacklists, such as black.uribl.com, which is the default.
+ The DNS blacklist can be set to another domain by setting
+ !dnsbl:your.blacklist.domain.com
+
any
matches any URL and is a fast equivalent to the
expression ".*".
@@ -1052,6 +1058,7 @@
+ ensuring local and good sites are passed even if they would match a
blocking regex:
+ limiting the usage of IP-address URLs:
+ + blocking sites known to be part of the black.uribl.com DNS blacklist:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
@@ -1071,7 +1078,7 @@
acl {
default {
- pass local good !in-addr !porn all
+ pass local good !in-addr !porn !dnsbl:black.uribl.com all
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
clientuser=%i&clientgroup=%s&url=%u
}
diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100
@@ -168,6 +168,34 @@
+
+ Using online DNS blacklists
+Several DNS based databases can be used to block domain names referrenced in
+blacklists. First choose which database you would like to trust (some well known
+are : http://www.uribl.com/, or http://www.surbl.org/).
+Be aware that this will raise several DNS requests every time squidGuard
+receives a request to filter. SquidGuard will not cache any DNS result, so make
+sure your DNS server does, and mesure the performance impact before using on
+production.
+To get squidGuard to request DNS dynamically and block listed domain names, just use :
+
+
+
+ Blocking domain names referenced in a DNS blacklist
+ |
+
+
+ acl {
+ default {
+ pass !dnsbl:black.uribl.com all
+ redirect http://localhost/block.html
+ }
+ }
+
+ |
+
+
+
Logging blocked access tries
It may be of interest who is accessing blocked sites. To track that
diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100
@@ -100,6 +100,29 @@
172.16.12.0/255.255.255.0
10.5.3.1/28
+ Using online DNS blacklists
+ Several DNS based databases can be used to block domain names referrenced in
+ blacklists. First choose which database you would like to trust (some well known
+ are : http://www.uribl.com/, or http://www.surbl.org/).
+ Be aware that this will raise several DNS requests every time squidGuard
+ receives a request to filter. SquidGuard will not cache any DNS result, so make
+ sure your DNS server does, and mesure the performance impact before using on
+ production.
+ To get squidGuard to request DNS dynamically and block listed domain names, just use :
+acl {
+ default {
+ pass !dnsbl:black.uribl.com all
+ redirect http://localhost/block.html
+ }
+}
+
+
+
+
+
+
+
+
Logging blocked access tries
It may be of interest who is accessing blocked sites. To track that
down you can add a log directive to your src or dest definitions in
diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100
@@ -68,6 +68,7 @@
#define ACL_TYPE_DEFAULT 1
#define ACL_TYPE_TERMINATOR 2
#define ACL_TYPE_INADDR 3
+#define ACL_TYPE_DNSBL 4
#define REQUEST_TYPE_REWRITE 1
#define REQUEST_TYPE_REDIRECT 2
@@ -301,6 +302,7 @@
struct AclDest {
char *name;
+ char *dns_suffix;
struct Destination *dest;
int access;
int type;
diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200
+++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100
@@ -2253,6 +2274,7 @@
int allowed;
#endif
{
+ char *subval = NULL;
struct Destination *dest = NULL;
struct sgRewrite *rewrite = NULL;
struct AclDest *acldest;
@@ -2264,6 +2286,9 @@
allowed=0;
else if(!strcmp(value,"in-addr")){
type = ACL_TYPE_INADDR;
+ } else if (!strncmp(value,"dnsbl",5)) {
+ subval = strstr(value,":");
+ type = ACL_TYPE_DNSBL;
} else {
if((dest = sgDestFindName(value)) == NULL){
sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
@@ -2278,6 +2303,25 @@
acldest->dest = dest;
acldest->access = allowed;
acldest->type = type;
+ if (type == ACL_TYPE_DNSBL)
+ {
+ if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use
+ {
+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
+ strcpy(acldest->dns_suffix, ".black.uribl.com");
+ }else{
+ subval=subval+1;
+ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
+ strlen(subval) )
+ {
+ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
+ progname,subval);
+ }
+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
+ strcpy(acldest->dns_suffix, ".");
+ strcat(acldest->dns_suffix,subval);
+ }
+ }
acldest->next = NULL;
if(lastAcl->pass == NULL){
lastAcl->pass = acldest;
@@ -2365,6 +2409,56 @@
return acl;
}
+char *strip_fqdn(char *domain)
+{
+ char *result;
+ result=strstr(domain,".");
+ if (result == NULL)
+ return NULL;
+ return (result+1);
+}
+
+int is_blacklisted(char *domain, char *suffix)
+{
+ char target[MAX_BUF];
+ struct addrinfo *res;
+ int result;
+ //Copying domain to target
+ if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
+ {
+ //Buffer overflow risk - just return and accept
+@NOLOG1@
+ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
+@NOLOG2@
+ return(0);
+ }
+ strncpy(target,domain,strlen(domain)+1);
+ strcat(target,suffix);
+
+ result = getaddrinfo(target,NULL,NULL,&res);
+ if (result == 0) //Result is defined
+ {
+ freeaddrinfo(res);
+ return 1;
+ }
+ //If anything fails (DNS server not reachable, any problem in the resolution,
+ //let's not block anything.
+ return 0;
+}
+
+int blocked_by_dnsbl(char *domain, char *suffix)
+{
+ char *dn=domain;
+ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
+ {
+ if (is_blacklisted(dn,suffix))
+ return(1);
+ dn=strip_fqdn(dn);
+ }
+ return 0;
+}
+
+
#if __STDC__
char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req)
#else
@@ -2397,6 +2491,16 @@
}
continue;
}
+ // http://www.yahoo.fr/ 172.16.2.32 - GET
+ if(aclpass->type == ACL_TYPE_DNSBL){
+ if (req->dot)
+ continue;
+ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
+ access=0;
+ break;
+ }
+ continue;
+ }
if(aclpass->dest->domainlistDb != NULL){
result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
if(result != DB_NOTFOUND) {