Hi,
Is there a Pakfire for doing DNS blackholing like the Pi-Hole?
Specifically I’d like to import lists like OpenPhish to stop any urls in phishing emails from being resolved by the ipfire DNS.
Thanks 
I don’t know if it actually works at this point.
Thanks, but not an official Pakfire right?
yes no official package. Maybe the developer of it can say more ( If he is reading about this) I don’t know.
Thanks, that is sad news. I wonder why? It is extremely useful and powerful functionality
3 Likes
Ah yes! Yep, I’m not seeking a full blown pi-hole baked into ipfire, I’m happy with ipfire’s DNS system, I just need that ability to continuously update lists of known nasty domains to blackhole, it’s a great method of protecting users behind ipfire. OFC it’s not a be all solve all, but it protects the casual (non diligent) user from some silly brain fart email clicks.
It is not difficult at all. It’s as simple as pulling the list (usually hosted on github or somewhere like that) and parsing the list loading each entry into /etc/hosts
Honestly if I had some experience to build a Pakfire I would do it, but unfortunately it’s not my game.
I had only brought up the thread because the things said there are already present in ipfire webprox/urlfilter last I understood the discussion so that from a developer point of view is recommended to use this.
1 Like
webproxy/urlfiltering to my knowledge (which extends as far as me reading the ipfire wiki and googling transparent vs non-transparent squids 
) requires configuring a non-transparent proxy for https domains. Which is messy and not needed when simple DNS blackholing can be done.
That’s right. Only as I understood it, the way favored by the devops (I’m not one of that).
1 Like
I tried GitHub - sfeakes/ipfire-scripts: Scripts for ipfire and it works. In the script you need to remove some obsolete hostlists. No idea why IPFire developers won’t fork this great script and create a more convenient Pakfire. I don’t really know how a proxy would be useful. IPFire wiki only shows a useless example of proxy. To hide the real HTTP header. Really? How is that supposed to be useful nowadays??
What else could people do with proxy?
Yes I agree. I was going to do this using suricata (because already I see suricata blackholing suspicious TLD) but i have came to the conclusion that using the IPS/IDS for this task will consume much more resources than simple blackholing in hosts.
I too am going to deploy that script, I think it’s great. I’m not really interested in proxies.
IPS/IDS + DNS blackholing is where it’s all at.
Stopping people looking at porn is a different kettle of fish, one I’m not super interested in. Mostly interested in stopping dodgy URLs.
I guess proxies are good for logging access and data loss prevention scenarios (i.e. leaking of company documents) but with cameras on smart phones nowadays someone just takes a picture of the document and transports it on their personal non-corporate network anyway.
@whypenguinsquint did you have to do any other edits? It doesn’t seem to get any output from the phishing.army list for me
./dns_blocklist.sh -s 1 -r 127.0.0.1 -u
Retreiving list from:- https://phishing.army/download/phishing_army_blocklist_extended.txt
0
Cleaning & Sorting list of 0 entries
Writing list of 0 entries to unbound configuration
Stopping Unbound DNS Proxy... [ OK ]
Starting Unbound DNS Proxy... [ OK ]
./dns_blocklist.sh: Blocked Hosts Update, 0 hosts blocked
edit I got this working by adjusting that awk for the list not prefixed with IPs
Just a few thoughts to this topic.
- If you use a DNS filter, you must force all clients to use the DNS proxy/server in your IPFire system. That’s equivalent to a non-tranparent proxy.
- With a DNS filter you can only catch requests for URLs, proxy related solutions allow blocking of IPs also.
- There is some effort to maintain the set of lists. Is there anybody to do this?
- How is the efficiency of the search algorithm for those lists in unbound?
The normal work is “search a limited list of URLs used, if nothing is found ask a upstream DNS server for exactly one URL”.
Everyone is assigned ipfire DNS server via DHCP anyway unless in your DHCP you are specifying another server. But I guess it is essentially a proxy for DNS yea.
That is true, and some thought also needs to be given to DoH which will bypass our specified DNS completely. But also you need to look at what’s trying to be achieved. In my case I am trying to stop clicks on phishing URLs. Typically someone isn’t sending a url like https://101.123.45.6/bad_url.html in a phishing link. of course if we are trying to actively stop someone from going to a site then DNS is not the answer. This is about protection not enforcement, that’s the key difference I think. Not stopping someone who is determined to access something, protecting them from accidentally accessing something they shouldn’t.
Phishing.army list is updated every 6 hours (https://phishing.army/) and so we just set a cron to update automatically. I also have a whitelist of mission critical domains so that if some silly bugger puts key domains in the list they don’t get neutered.
That is a good question, I don’t know that.
Setting the DNS server in DHCP isn’t enough.
Each application is free to use this or not to use it. Searching the traffic for DNS requests shows, many apps for smartphones ( for example ) just don’t use the IPFire DNS server, but 8.8.8.8 directly.
There is a development in IPFire community active to force these requests to the ‘right’ server.
Yes correct, just as the user can use a VPN and funnel their DNS to the VPN one. However again, this isn’t enforcement. This is protection against a very specific scenario/s. If a user gets an email with a link, they click the link and what most likely occurs? It will open the browser yes? And so generally, unless you’re in USA and using Firefox which has DoH on by default (maybe other browsers do too now I haven’t looked that much into it yet), i think the browser will just use whatever the system DNS is. Same for drive by links that are popping up in google searches.
Just tried it with the Fire tablet of my wife.
Have installed the DNS redirections discussed in another thread, I can see all DNS requests are targeted to Google ( 8.8.8.8 ). Thus a DNS filtering without forcing would be useless.
Sure, Chromecast does the same thing as a countermeasure against geo unlocking.
There are ways around this such as routing 8.8.8.8 elsewhere. if you have fire tablets or chromecast devices on your network that you have to worry about then you would do such things. it’s similar kind of mitigation as DoH. This does not require a proxy, it’s firewall/iptables job.
Here’s an example how you apply dns_blocklist.sh
- I deleted some obsolete hosts inside dns_blocklist.sh. The remaining ones would be
BLOCK_HOST_URLS=( \
https://adaway.org/hosts.txt \
http://winhelp2002.mvps.org/hosts.txt \
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \
http://sysctl.org/cameleon/hosts \
https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt \
https://easylist.to/easylist/easylist.txt \
https://easylist.to/easylist/fanboy-annoyance.txt \
)
- Create another shellscript call_dnsblock.sh
#!/bin/bash
bash /root/dns_blocklist.sh -s 1,2,3,4,5,6,7,"https://easylist.to/easylistgermany/easylistgermany.txt","https://easylist.to/easylist/easyprivacy.txt","https://easylist.to/easylist/fanboy-social.txt","https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt","https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt","https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt","https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt","https://raw.githubusercontent.com/AdguardTeam/AdguardFilters/master/MobileFilter/sections/adservers.txt" && sed -i 's/local-data/local-zone/g; s/[[:space:]]A 127.0.0.1"/" static/g' /etc/unbound/local.d/blocklist.conf && /etc/init.d/unbound restart
Instead of argument -r 0.0.0.0 I used sed ... as you can see above. You may add some other filterlists as you like. 1,2,3,4,5,6,7 are the selected HOST_URLs found inside dns_blocklist.sh
3) Execute chmod 755 dns_blocklist.sh && chmod 755 call_dnsblock.sh
4) Execute ./call_dnsblock.sh
5) Execute fcrontab -e
6) Hit Insert and type
# Update DNS blocking lists at 23:30
30 23 * * * bash /root/call_dnsblock.sh
somewhere.
7) Hit Escape, type :wq
8) ???
9) profit
Feel free to suggest some improvements. You may also add whitelist and blacklist arguments as you need for your usecases. See upstream’s github.