ufdbGuard query plugin for DNS server BIND (named)

Filter internet access with a DNS server

The ufdbguard query plugin for the BIND named DNS server is an internet access filter.  The plugin uses the URL database of URLfilterDB which can be extended with user-defined URL categories.  All URL categories can be used to prohibit access and used as a whitelist.  The plugin may be used within a view hence also supports different filtering rules for different classes of users.

The filtering mechanism is very simple where the DNS server sends a reply with DNS response error code 3 (Domain does not exist) or error code 5 (Refused) to the DNS client (browser or other application) whenever it does a DNS query for a forbidden domainname.  Once a domain lookup is blocked, browsers and applications do not have access to blocked content when these applications are also blocked to use an alternative DNS server.  The Reference Manual contains a section on how to block DNS lookups over HTTPS and has firewall configuration suggestions.

High performance

The ufdbguard plugin is dynamically loaded into the named process and monitors all queries for forbidden domainnames inside named preventing inter-process communication overhead.  The URL database is loaded into memory and filtering DNS queries introduces minimal overhead for the DNS server.  The core of the filter is the ufdbGuard API which uses Intel/AMD AVX2 SIMD instructions and has a performance of 550,000 domainname classifications per second using a single thread on an AMD Ryzen 9 5950X CPU.

Supported versions

Since the plugin accesses internal data structures of the named process and data structures can have (minor but important) changes between patch versions of BIND named, there is a one‑to‑one compatibility relationship between versions of the plugin and versions of BIND named.  Therefore the plugin examines the named version when it is initiliased and refuses to load when there is a version mismatch. 

The versions of BIND named that are supported by the plugin are 9.16.40 (and higher) and 9.18.14 (and higher) on Redhat Enterprise Linux 8 and 9 (and compatible distros) and Ubuntu 20.04 LTS and 22.04 LTS (and compatible distros).  ISC maintains BIND named and publishes packages regularly (roughly once per month) on COPR for RHEL and Launchpad for Ubuntu.  For ease of use and a guarantee that compatible versions of the plugin and named can be downloaded from a single repository, URLfilterDB also creates BIND named packages from unmodified source code as released by ISC.  Note that RHEL and Ubuntu do not update their packages of named with all code fixes and do not have a unique version number (output of named -v) for each patch release and therefore the plugin cannot be compatible with the standard named package on these distros.

Packages for the plugin are created in an automated process and whenever a new patch release of BIND named is released by its maintainer, new compatible plugin versions are built within a few hours and made available for download on the package repository servers of URLfilterDB.  Note that the DNS administrator always has full control over which versions of BIND named and the ufdbGuard plugin are installed.

See the Reference Manual for more information.