Congratulations on the DBL feature and upcoming DNS Firewall! Great stuff!
I’ve been using DNS filtering for blocking tracking, advertising and porn for many years. I really like the idea of using Suricata to catch traffic which might otherwise evade DNS blocking.
Unfortunately trying Suricata for blocking Ads/Tracking has revealed a major issue for me.
Occasionally I must manually allow a tracking domain for an app or iot device to function (try using a Square payment terminal with DNS ad filtering!).
DNS based solutions usually make it easy for the administrator to identify which URL is blocked on which device/IP. From this information the admin can then add custom domains to an allow-list. (Ideally such an allow list also allows the admin to toggle individual domains from that list of exceptions on and off)
Unfortunately Suricata isn’t set up for this. When it blocks domains they’re simply reported as an IP, so an admin can’t;
trace them back to a DNS domain
find which DNS list included the domain; and
allow the specific domain if necessary
Have you thought about how this might be handled in Suricata in IPfire please?
Thank you!
PS: For now I can at least use Suricata with the Ipfire DBL porn list without issue. No exceptions needed there!
In my personal experience, it is impossible to come up with a ‘perfect’ list. Even if Tracking companies and Advertisers didn’t constantly change things, you must allow some domains you’d like to block for commonly used services to work. Even targeting your list at the majority of users (that is, ensuring “common” internet services work) will still result in the need for exceptions.
For example, a less common Sports streaming service in one country might require adobe tracking domains. You don’t want those domains enabled on most of your devices if possible (Adobe is a major internet tracking company). However, you might be willing to allow them on your smart devices so the streaming service will work. Excluding the smart devices from all Ad blocking by “whitelisting” them in the IDS is not an adequate compromise (in that situation you’d have no Ad blocking at all). You need to be able to speifically target an allow only the domains required (and ideally per-device).
I use two different DNS services today. An external (cloud hosted) DNS service which is configured on my “mobile” devices, those which leave my network. I also use an internal DNS filtering service. Both services offer the ability to allow or block specific URLs as exceptions. One of the two even allows me to build up per-host allow and block lists, which over time has resulted in a setup like another firewall with finely tuned rules.
You asked me to identify what domain was blocked in my example. This highlights the other problem - I cannot. Suricata reports an IP was blocked, but it’s not always possible to resolve an IP back to a DNS domain and even then, you don’t know that the DNS name returned is the one which was blocked in the block list (content delivery networks or IPs from major Cloud providers are a particular problem here).
In my situation a robot vaccum app suddenly stopped being able to connect to the internet. I knew that the only thing I’d changed was enabling the IPFire DBL Ad list. So I disabled that list and then was able to use the app.
Unfotunately it seems that Suricata just isn’t the right tool for this.
I understand but this thread is specifically about using Suricata. I thought it was a novel idea to use an IPS for Ad blocking, but as we have discussed it’s unfortunately not suitable in most situations.
with the upcomming Core Update 201 we will introduce the DNS-firewall component, it will have the missing ability of custom allow/blocklisting and will provide some better logging which domain has been requested/blocked by a client.
The update should be shown up very early in pakfire (testing). The testing announcement also should appear in the next days.