diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 93eeb1213..13a890141 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= bind
-PLUGIN_VERSION= 1.3
+PLUGIN_VERSION= 1.4
PLUGIN_COMMENT= BIND domain name service
PLUGIN_DEPENDS= bind912
PLUGIN_MAINTAINER= m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 2d2daa1fb..85705e64c 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -4,4 +4,34 @@ one computer can find another computer on the basis of its name.
The BIND software distribution contains all of the software
necessary for asking and answering name service questions.
+
+Plugin Changelog
+================
+
+1.4
+
+* Add Bing and DuckDuckGo Strict Search
+* Add 5 new blacklists to DNSBL (Hbbtv, Simple Ad, Simple Tracker, StevenBlack, Zeus Tracker)
+* Ability to hide system hostname and version
+* Rate-Limiting support
+
+1.3
+
+* Add Google Safe Search
+* Add Youtube Adult Filter
+
+1.2
+
+* Add Log Viewer
+* Removed too big PornAll list
+
+1.1
+
+* Add 3 new blacklists to DNSBL (EMD, PornTop1M, PornAll)
+
+1.0
+
+* Initial release
+
+
WWW: https://www.isc.org
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dnsbl.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dnsbl.xml
index 227260813..43785baa6 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dnsbl.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dnsbl.xml
@@ -25,10 +25,22 @@
checkbox
This will force SafeSearch.
+
+ dnsbl.forcesafeduckduckgo
+
+ checkbox
+ This will force SafeSearch.
+
dnsbl.forcesafeyoutube
checkbox
This will force safe Youtube browsing.
+
+ dnsbl.forcestrictbing
+
+ checkbox
+ This will force safe search when using Bing.
+
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index a1658cedb..3a7db5343 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -59,4 +59,41 @@
dropdown
Default is "No". Set to "Auto" to use the static trust anchor configuration by the system.
+
+ general.hidehostname
+
+ checkbox
+ true
+ This will hide the system hostname for DNS queries.
+
+
+ general.hideversion
+
+ checkbox
+ true
+ This will hide the local BIND version in DNS queries.
+
+
+ general.enableratelimiting
+
+ checkbox
+ true
+ This will enable rate-limiting for DNS replies.
+
+
+ general.ratelimitcount
+
+ text
+ true
+ Set how many replies per second are allowed.
+
+
+ general.ratelimitexcept
+
+
+ select_multiple
+ true
+ true
+ Except a list of IPs from rate-limiting like ::1
+
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
index 9a0b151fc..7a689fece 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
@@ -1,7 +1,7 @@
//OPNsense/bind/dnsbl
DNSBL configuration
- 1.0.4
+ 1.0.5
0
@@ -17,12 +17,17 @@
Easy List
EMD Malicious Domains List
Easyprivacy List
+ Hbbtv List
Malwaredomain List
NoCoin List
PornTop1M List
Ransomware Tracker List
+ Simple Ad List
+ Simple Tracker List
+ Steven Black List
Windows Spyware Blocker
YoYo List
+ ZeusTracker Abuse.ch List
@@ -32,9 +37,17 @@
0
Y
+
+ 0
+ Y
+
0
Y
+
+ 0
+ Y
+
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 006bac894..5edbb8abf 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
//OPNsense/bind/general
BIND configuration
- 1.0.4
+ 1.0.5
0
@@ -67,5 +67,29 @@
N
Y
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+ N
+ 1
+ 1000
+ Choose a value between 1 and 1000.
+
+
+ 127.0.0.1,::1
+ ,
+ Y
+ Y
+
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
index fd48375b0..e95a54ae3 100755
--- a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
@@ -126,6 +126,41 @@ yoyo() {
rm ${WORKDIR}/yoyo-raw
}
+stevenblack() {
+ # StevenBlack
+ ${FETCH} https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -o ${WORKDIR}/stevenblack-raw
+ sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
+ rm ${WORKDIR}/stevenblack-raw
+}
+
+hbbtv() {
+ # HBBTV List
+ ${FETCH} https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/hbbtv.txt -o ${WORKDIR}/hbbtv-raw
+ sed "/\.$/d" ${WORKDIR}/hbbtv-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/hbbtv
+ rm ${WORKDIR}/hbbtv-raw
+}
+
+simplead() {
+ # Simple Ad List
+ ${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt -o ${WORKDIR}/simplead-raw
+ sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
+ rm ${WORKDIR}/simplead-raw
+}
+
+simpletrack() {
+ # Simple Tracking List
+ ${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt -o ${WORKDIR}/simpletrack-raw
+ sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
+ rm ${WORKDIR}/simpletrack-raw
+}
+
+zeusabuse() {
+ # Zeus Tracker List from abuse.ch
+ ${FETCH} https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist -o ${WORKDIR}/zeusabuse-raw
+ sed "/\.$/d" ${WORKDIR}/zeusabuse-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/zeusabuse
+ rm ${WORKDIR}/zeusabuse-raw
+}
+
install() {
# Put all files in correct format
for FILE in $(find ${WORKDIR} -type f); do
@@ -164,6 +199,9 @@ for CAT in $(echo ${DNSBL} | tr ',' ' '); do
emd)
emdlist
;;
+ ht)
+ hbbtv
+ ;;
nc)
nocoin
;;
@@ -179,12 +217,24 @@ for CAT in $(echo ${DNSBL} | tr ',' ' '); do
pt)
porntop
;;
+ sa)
+ simplead
+ ;;
+ sb)
+ stevenblack
+ ;;
+ st)
+ simpletrack
+ ;;
ws)
windowsspyblocker
;;
yy)
yoyo
;;
+ za)
+ zeusabuse
+ ;;
esac
done
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
index 671cf90e9..bf8b53508 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
@@ -1,4 +1,6 @@
+bing.db:/usr/local/etc/namedb/master/bing.db
blacklist.db:/usr/local/etc/namedb/master/blacklist.db
+duckduckgo.db:/usr/local/etc/namedb/master/duckduckgo.db
google.db:/usr/local/etc/namedb/master/google.db
named:/etc/rc.conf.d/named
named.conf:/usr/local/etc/namedb/named.conf
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/bing.db b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/bing.db
new file mode 100644
index 000000000..09d6b4f73
--- /dev/null
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/bing.db
@@ -0,0 +1,14 @@
+$TTL 86400
+@ IN SOA opnsense.localdomain. hostmaster.opnsense.localdomain. (
+ 2018121501
+ 28800
+ 7200
+ 864000
+ 3600 )
+@ NS localhost.
+{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}
+www.bing.at IN CNAME strict.bing.com.
+www.bing.ch IN CNAME strict.bing.com.
+www.bing.com IN CNAME strict.bing.com.
+www.bing.de IN CNAME strict.bing.com.
+{% endif %}
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/duckduckgo.db b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/duckduckgo.db
new file mode 100644
index 000000000..d374a8ccd
--- /dev/null
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/duckduckgo.db
@@ -0,0 +1,12 @@
+$TTL 86400
+@ IN SOA opnsense.localdomain. hostmaster.opnsense.localdomain. (
+ 2018111401
+ 28800
+ 7200
+ 864000
+ 3600 )
+@ NS localhost.
+{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}
+duckduckgo.com IN CNAME safe.duckduckgo.com.
+www.duckduckgo.com IN CNAME safe.duckduckgo.com.
+{% endif %}
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 443367cb7..d27afa622 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -27,7 +27,7 @@ options {
{% endif %}
{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
- response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %} };
+ response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
{% endif %}
{% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
@@ -38,15 +38,28 @@ options {
{% endfor %}
{% endif %}
-
{% if helpers.exists('OPNsense.bind.general.maxcachesize') and OPNsense.bind.general.maxcachesize != '' %}
max-cache-size {{ OPNsense.bind.general.maxcachesize }}%;
{% endif %}
-
{% if helpers.exists('OPNsense.bind.general.dnssecvalidation') and OPNsense.bind.general.dnssecvalidation != '' %}
dnssec-validation {{ OPNsense.bind.general.dnssecvalidation }};
{% endif %}
-
+{% if helpers.exists('OPNsense.bind.general.hidehostname') and OPNsense.bind.general.hidehostname == '1' %}
+ hostname none;
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.hideversion') and OPNsense.bind.general.hideversion == '1' %}
+ version none;
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.enableratelimiting') and OPNsense.bind.general.enableratelimiting == '1' %}
+{% if helpers.exists('OPNsense.bind.general.ratelimitcount') and OPNsense.bind.general.ratelimitcount != '' %}
+ rate-limit {
+ responses-per-second {{ OPNsense.bind.general.ratelimitcount }};
+{% if helpers.exists('OPNsense.bind.general.ratelimitexcept') and OPNsense.bind.general.ratelimitexcept != '' %}
+ exempt-clients { {{ OPNsense.bind.general.ratelimitexcept.replace(',', '; ') }}; };
+{% endif %}
+ };
+{% endif %}
+{% endif %}
};
key "rndc-key" {
@@ -76,11 +89,20 @@ zone "rpzgoogle" { type master; file "/usr/local/etc/namedb/master/google.db"; n
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
+{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}
+zone "rpzduckduckgo" { type master; file "/usr/local/etc/namedb/master/duckduckgo.db"; notify no; check-names ignore; };
+{% endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}
zone "rpzyoutube" { type master; file "/usr/local/etc/namedb/master/youtube.db"; notify no; check-names ignore; };
{% endif %}
{% endif %}
-
+{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
+{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}
+zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notify no; check-names ignore; };
+{% endif %}
+{% endif %}
logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size {{ OPNsense.bind.general.logsize }}m;