Pakfire for DNS Blackholing?

Yes I agree. I was going to do this using suricata (because already I see suricata blackholing suspicious TLD) but i have came to the conclusion that using the IPS/IDS for this task will consume much more resources than simple blackholing in hosts.

I too am going to deploy that script, I think it’s great. I’m not really interested in proxies.
IPS/IDS + DNS blackholing is where it’s all at.

Stopping people looking at porn is a different kettle of fish, one I’m not super interested in. Mostly interested in stopping dodgy URLs.

I guess proxies are good for logging access and data loss prevention scenarios (i.e. leaking of company documents) but with cameras on smart phones nowadays someone just takes a picture of the document and transports it on their personal non-corporate network anyway.

@whypenguinsquint did you have to do any other edits? It doesn’t seem to get any output from the phishing.army list for me

./dns_blocklist.sh -s 1 -r 127.0.0.1 -u 
Retreiving list from:- https://phishing.army/download/phishing_army_blocklist_extended.txt
0
Cleaning & Sorting list of 0 entries
Writing list of 0 entries to unbound configuration
Stopping Unbound DNS Proxy...                                                                                                           [  OK  ]
Starting Unbound DNS Proxy...                                                                                                           [  OK  ]
./dns_blocklist.sh: Blocked Hosts Update, 0 hosts blocked

edit I got this working by adjusting that awk for the list not prefixed with IPs

Just a few thoughts to this topic.

• If you use a DNS filter, you must force all clients to use the DNS proxy/server in your IPFire system. That’s equivalent to a non-tranparent proxy.
• With a DNS filter you can only catch requests for URLs, proxy related solutions allow blocking of IPs also.
• There is some effort to maintain the set of lists. Is there anybody to do this?
• How is the efficiency of the search algorithm for those lists in unbound?
  The normal work is “search a limited list of URLs used, if nothing is found ask a upstream DNS server for exactly one URL”.

Everyone is assigned ipfire DNS server via DHCP anyway unless in your DHCP you are specifying another server. But I guess it is essentially a proxy for DNS yea.

That is true, and some thought also needs to be given to DoH which will bypass our specified DNS completely. But also you need to look at what’s trying to be achieved. In my case I am trying to stop clicks on phishing URLs. Typically someone isn’t sending a url like https://101.123.45.6/bad_url.html in a phishing link. of course if we are trying to actively stop someone from going to a site then DNS is not the answer. This is about protection not enforcement, that’s the key difference I think. Not stopping someone who is determined to access something, protecting them from accidentally accessing something they shouldn’t.

Phishing.army list is updated every 6 hours (https://phishing.army/) and so we just set a cron to update automatically. I also have a whitelist of mission critical domains so that if some silly bugger puts key domains in the list they don’t get neutered.

That is a good question, I don’t know that.

Setting the DNS server in DHCP isn’t enough.
Each application is free to use this or not to use it. Searching the traffic for DNS requests shows, many apps for smartphones ( for example ) just don’t use the IPFire DNS server, but 8.8.8.8 directly.
There is a development in IPFire community active to force these requests to the ‘right’ server.

Yes correct, just as the user can use a VPN and funnel their DNS to the VPN one. However again, this isn’t enforcement. This is protection against a very specific scenario/s. If a user gets an email with a link, they click the link and what most likely occurs? It will open the browser yes? And so generally, unless you’re in USA and using Firefox which has DoH on by default (maybe other browsers do too now I haven’t looked that much into it yet), i think the browser will just use whatever the system DNS is. Same for drive by links that are popping up in google searches.

Just tried it with the Fire tablet of my wife.
Have installed the DNS redirections discussed in another thread, I can see all DNS requests are targeted to Google ( 8.8.8.8 ). Thus a DNS filtering without forcing would be useless.

Sure, Chromecast does the same thing as a countermeasure against geo unlocking.

There are ways around this such as routing 8.8.8.8 elsewhere. if you have fire tablets or chromecast devices on your network that you have to worry about then you would do such things. it’s similar kind of mitigation as DoH. This does not require a proxy, it’s firewall/iptables job.

Here’s an example how you apply dns_blocklist.sh

1. I deleted some obsolete hosts inside dns_blocklist.sh. The remaining ones would be

BLOCK_HOST_URLS=( \
                  https://adaway.org/hosts.txt \
                  http://winhelp2002.mvps.org/hosts.txt \
                  https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \
                  http://sysctl.org/cameleon/hosts \
                  https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt \
                  https://easylist.to/easylist/easylist.txt \
                  https://easylist.to/easylist/fanboy-annoyance.txt \
               )

2. Create another shellscript call_dnsblock.sh

#!/bin/bash
 
bash /root/dns_blocklist.sh -s 1,2,3,4,5,6,7,"https://easylist.to/easylistgermany/easylistgermany.txt","https://easylist.to/easylist/easyprivacy.txt","https://easylist.to/easylist/fanboy-social.txt","https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt","https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt","https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt","https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt","https://raw.githubusercontent.com/AdguardTeam/AdguardFilters/master/MobileFilter/sections/adservers.txt" && sed -i 's/local-data/local-zone/g; s/[[:space:]]A 127.0.0.1"/" static/g' /etc/unbound/local.d/blocklist.conf && /etc/init.d/unbound restart

Instead of argument -r 0.0.0.0 I used sed ... as you can see above. You may add some other filterlists as you like. 1,2,3,4,5,6,7 are the selected HOST_URLs found inside dns_blocklist.sh
3) Execute chmod 755 dns_blocklist.sh && chmod 755 call_dnsblock.sh
4) Execute ./call_dnsblock.sh
5) Execute fcrontab -e
6) Hit Insert and type
# Update DNS blocking lists at 23:30
30 23 * * * bash /root/call_dnsblock.sh
somewhere.
7) Hit Escape, type :wq
8) ???
9) profit

Feel free to suggest some improvements. You may also add whitelist and blacklist arguments as you need for your usecases. See upstream’s github.

This script will block the ad hosts for all clients of GREEN interface. As I use only RED and GREEN, I didn’t test on BLUE. Got no idea how to restrict the script to apply only to a few selected clients.
As for the other questions ask upstream or study the script dns_blocklist.sh yourself.

This can never be accepted.
Either the shell script builds the config file with the right contents or it should not be run.
Correcting errors by a second script isn’t really safe.
Just my 2c

I don’t get what you mean. Instead of changing the file dns_blocklist.sh you can just select working hostlists with 1,3,6,7,14 and so on for example.
Did you even read the latest upstream change? It was 2016. So of course some lists would change since then. It is up to you if you want to use the script or not. Some people just need a Pi-hole inside IPFire.

I do know, what the script does.
It parses the block lists and generates “false” answers for unbound. But this is useless, if the requestor ( the app on the client ) doesn’t use unbound in IPFire! Therfore you must force all clients to use the DNS server of your IPFire installation.

If you don’t want to force all clients then use proxy. My usecase is ok with the mentioned script above.

Working good for me, I just had to modify the awk so it would accept the phishing.army list but got it going gangbusters.

Nice to hear.
And how do you manage the passing by applications in your net?
Every DNS request using 8.8.8.8 isn’t blocked by your solution.

I don’t need to manage it because people aren’t getting phished streaming to their chromecast and I’ve never seen a Fire tablet in my life.

Usually smartphones do the same things.

If you only have clients connected to GREEN ( ethernet ) and fully administered by you, that solution can work.
I didn’t dig to deep in the sources yet, therefore I cannot say nothing about effectiveness nor about efficiency.

Could you please show where you did the awk adjustment and how? I am not familiar with awk.
I guess you could do “sed -i ‘s/^/127.0.0.1 /’ host.txt” but then some lists would get double 127.0.0.1 which we don’t want.

Sure, I’m also not familiar I just took out the bit I figured was looking for IP.

Turns out I removed the awk and just let it parse each line this is the code I have

 # This awk tries to combine both above.
  curl -v --max-time 30 --connect-timeout 5 --silent "$1" --stderr - >> $TMP_HOSTS_FILE