Any way to block all DNS queries and whitelist some?

dreaper · 3 November 2023 05:45

Any way to block all DNS queries and whitelist some? This goes beyond the scope of URL filtering.

Say if I was an unfortunate Adobe user who required Windows. So, I only want to run Windows as a production machine and keep it isolated from the Internet as much as I can (and avoid MS and their shady updates along with it). But to use those shady Adobe apps, I am required to have a consistent Internet connection to periodically validate my shady ‘subscription’. So, I need to whitelist some of Adobe’s domains to make it work.

How would I make this work with IPfire? I am curious to see if this is possible.

EDIT:

I would also like to point out that I am doing this with two virtual machines with a NAT network in virtual box as a test.

zebulon · 3 November 2023 11:25

In my internal network I use Pi-hole IP for the clients and than let Pi-hole use IP-fire as dns.
Than I can blacklist or whitelist what and when I need it.

hvacguy · 3 November 2023 15:14

My first thought was use the proxy.
Second thought make firewall rule to allow comunication to Adobe.
Then block that pc from everything else

jon · 3 November 2023 17:48

I’ll add a shameless plug for something I have been ~~playing~~ experimenting with:

Instead of blocking DoH, you can use it to block MS.

Think of it as changing the topic title to MSblock - Blocking MS via RPZ.

Do you know the domain names (maybe with sub-domains) you want to block?

dreaper · 3 November 2023 21:36

Well, I’m looking to block literally everything on that Windows client; not just MS. And only allow what’s necessary to run Adobe’s crap.

dreaper · 3 November 2023 21:40

Well, for now, I am just doing this all with two virtual machines that are configured with a NAT network. IPFire is the DHCP for the client to get an IP address. But I use regular NAT for the IPfire VM to get to the Internet.

So, one VM is IPfire and the other being my Windows client where I want to block literally everything except for Adobe’s shady stuff.

But yes, I do have Pihole on my actual network.

dreaper · 3 November 2023 21:40

How would I go about doing that? The second thought.

hvacguy · 4 November 2023 01:07

Something like.
Rule 1
Source “pc” NAT destination “Adobe ip” could be network group.
Rule 2
Source “pc” NAT destination " Any " drop

Could add ports or service group to Rule 1
@jon has some other post that use firewall rules that are more sophisticated.
Using RPZ and ASN. Which is very cool.
But not through the WUI.

dreaper · 4 November 2023 01:30

I’d much rather avoid specifying a single IP address. Mainly because IP addresses do change. The apps themselves would use DNS as a means to validate with Adobe’s servers most likely.

hvacguy · 4 November 2023 09:28

That’s where what @jon did above is so amazing.
You could allow traffic to a specific Domain.
And block everything else from that client.
It’s just not built-in.

dreaper · 4 November 2023 22:38

Alright then. Guess I’ll look into that.

dreaper · 4 November 2023 22:42

So, can this be used to block all domains and whitelist a couple?

jon · 5 November 2023 03:00

For MS, you might be able to use this RPZ. I know nothing about the list so make sure you review before using!

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/native.winoffice.txt

dreaper · 5 November 2023 03:35

Okay. But I want to block everything except for Adobe’s crap servers when Adobe’s shady subscription is validated.

gw-ipfire · 5 November 2023 11:21

hi
for block everything except for you want i have test this

server:
	module-config: "respip validator iterator"

rpz:
	name: allow
 	#zonefile: zonefiles/allow.rpz.zone
 	zonefile: /etc/unbound/zonefiles/allow.rpz.zone
	rpz-action-override: passthru
	rpz-log: yes 
	rpz-log-name: allow

rpz:
	name: block
 	#zonefile: block.rpz.zone
 	zonefile: /etc/unbound/zonefiles/block.rpz.zone
	rpz-action-override: nxdomain
	rpz-log: yes 
	rpz-log-name: block

in a block.rpz.zone

* CNAME .

all is block you do add site in allowlist for any ipfire update and other domain for you

ty

jon · 5 November 2023 15:43

This is massive overkill. Yes, you could do the above but it will probably render everything unusable.

@dreaper - you really need to specifically list what you want allowed and what you want blocked.

gw-ipfire · 5 November 2023 16:46

yes is overkill but no complicate a allowed domain
i have add many domain ipfire work fine
but if web ui is possible is the best
ty

jon · 6 November 2023 16:28

3 posts were merged into an existing topic: DoHblock - Blocking DNS over HTTPS via RPZ

dreaper · 6 November 2023 20:10

As I said, the machine is only going to be a production machine. So, massive overkill is what I want. Don’t worry. This is just something I’m testing in a virtual machine. Because maybe I could use a Raspberry Pi later on for a single machine to keep the machine completely isolated and then only allow certain things to be accessible.

In this test case, I just need it to call home to Adobe’s crap servers to validate a ‘subscription’ nothing else. Or, I could use something else that I want to whitelist.

dreaper · 6 November 2023 20:13

for block everything except for you want i have test this

That’s what I am I looking for. Block every domain and whitelist what I need.