network/vlan wide domain blocking

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Been toying with the idea of setting up something where I can block hostnames such as ad servers and privacy infringement related hosts, basically like a host file, but something I can setup on a per vlan bassis. (it can be the same list, I just want to be able to turn it on/off per vlan). I run Pfsense and I also run my own local DNS. There are various sites where these lists are made public, so I'd probably write a parser that goes through once in a while and generates my own local iist for whatever system I'd be using. I'd also want to be able to add my own custom entries.

Is there something on my DNS server I can do for that to work, or something in pfsense? I could make zones for each domain I want to block, but that seems kinda dirty, if I want to block ads.google.com I don't really want to have to make a zone for google.com and then have to put in all the proper A records. I just want to be able to block ads.google.com and then the rest still resolves normally. I'm thinking it would actually be fairly easy to code a program that speaks the DNS protocol but works off a host file style format, but figured there's probably something out there already made so open to suggestions.

This is one of those security/privacy things I should have done a long time ago and never bothered, so looking into it now. I know there are browser ad ons and such but I want to do it more globally while having some level of access to the list too.
 
I would say use a web filter of some kind, but FWIW you don't need to create a new DNS zone for the root domain. You can create a new zone for a specific hostname, just create an A record with a blank hostname so it's "same as parent" and have it resolve to whatever.

I dunno, I think this is more effort that it's worth and a web filter would be much easier, ha.

You could also try to setup your own transparent Squid proxy.
 
A web filter is basically what I'm asking for. Hence why I'm asking, I'm looking for a solution. (free/open source). Proxy seems too intrusive though, rather do it at DNS level, that will also handle all protocols including weird/proprietary ones not just http. idealy I want it to be done at my DNS server, as my DNS server can basically check this list first, before it then goes ahead and resolves it. Is there an extension of sorts for named that would do this? A simple solution would be to have it perhaps read the local hosts file or another similar file. Then I can grab all the data from various sources and generate this file. Though something that acts as a DNS server could perhaps work too, like something that checks a list, and if it's not in the list, it relays to another DNS. I can then have it relay to my DNS server. So if a domain is in the list it returns some kind of error to the client, if it's not in the list, it then forwards to the main DNS.
 
Got me there. Good luck... sounds like you are making this incredibly complicated, lol.
 
I actually want it to be simple lol. I can't find the URL anymore, I'd have to check my Reddit history, but someone had linked to a couple sites that have lists of bad host names, like ad servers, spyware sites etc... I just want to take these sources, generate a master list, and then have my DNS server or other system that can intercept name resolution queries and return a different IP, or an error when they are attempted to be resolved. Basically a "host file" that the DNS server queries before it queries the root servers. I'm thinking this could probably work for network wide ad blocking too.

Was more of a fun idea I had anyway, if it turns out it's not possible then oh well. Just figured there would be a simple solution like some kind of plugin for named, or something within pfsense.
 
An alternative would be to make a script that takes the blacklist from the net, converts all the hostnames to IP addresses (simple DNS lookup) and makes an iptables input file that will reset all connections to those IP's.

Its important that you reset the connections, do not just blackhole them. You will have to wait for timeouts a lot otherwise.

In essence, you do not allow outgoing connections to IP's from the blacklist. This can be done on a per vlan basis.

You can setup a cron job to download and update the list every x hours/days.

It is also a good idea to scan your ip lists for duplicates because multiple ad servers from the blackist may resolve to the same ip.
 
forgot to mention, you may be able to find and block whole subnets. Usually ad-slining companies buy a block of ip addresses (subnet)

I block:
31.13.24.0/21
31.13.64.0/18
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
103.4.96.0/22
173.252.64.0/18
204.15.20.0/22

This is the IP space used by facebook. The Zuck can fuck right off, none of my PC's will talk to his loser emporium :)
 
Hmm never though of "pre resolving" them, I suppose that could work. Is there a way to script adding an IP/range to a pfsense alias? I already have an alias for blocking outgoing connections to certain IP/subnets, so if I can programmatically update it that would be awesome. I have a rule with that alias set as destination and set to block, so I just add IPs to it. I'll have to experiment with this further.
 
Create a blackhole zone without any hostnames, run your list of hosts through a oneliner to create a named.conf snippet and off you go.

You need to work on those problem-solving skills. This is trivial.
 
Yeah making zones is first thing that came to mind, no idea what "black hole zone without any host names" is suppose to mean, but I was going to just redirect it to 127.0.0.1 or something. But I don't want to block full domains. For example I may want to block ads.google.com but not google.com.

I might forget this if it's going to end up being complicated and just do it client side with a hosts file, I just figured maybe there was a pfsense addon, or a named addon or something that could make it happen network side.

Though this does have me thinking, could make an interesting programming project to make such a program/addon.
 
It means what it says. You create a zone file that only contains a SOA and nothing else. Then you create an entry in your named.conf for "ads.google.com" that uses that zone file.

Why would you redirect to 127.0.0.1? It makes no sense.
 
I think it is better to actively reset the connections then to blackhole them. It speeds up page loads if the request to the ad server fails immediately rather then wait for timeout.
 
No, it's even better to not resolve the host name in the first place. Then you don't need to reset any connection because no connection is even attempted.

Edit: "Blackhole" means something very different when you're operating at DNS level. It's not comparable to the long timeout of IP connections.
 
Last edited:
Wait, so it's possible to make a zone for just a sub domain? I did not know that. That changes everything. So I literally just put SOA in the record instead of doing anything else, and it will be valid and just return an error that it can't resolve when it is attempted? Was not sure if it was possible to make it do anything else but actually resolve to an IP, so that's why I was going to just make it resolve to localhost. But if I can make it not resolve at all then even better. I will have to experiment with that. Should not be hard to write a script that goes through various sources and generates all these records.
 
Think of it this way, every "hostname" is just a "subdomain" for more nested hostnames, so of course you can create zones that are x levels deep. If the zone has an A record, then that zone is also a hostname itself.

If your named is authoritative for "ads.google.com", then it will look in there for "foo.ads.google.com", "foo.bar.ads.google.com" and even just "ads.google.com". If there are no A records, then you have blackholed everything at and under ads.google.com.

That's how this whole delegation thing works in the first place. Do you think Google has a team that manages everything below google.com in a central place? They likely delegate subdomains to other teams who can all run their own nameservers and then of course they have authority only for that subdomain.

It seems you haven't grasped DNS fully, yet.
 
You're right TCM2, I misunderstood you when you said blackholed.

If the DNS fails to resolve the hostname, it will fail immediately.

So to sum up:
Web filter will work.
Adding blackhole DNS will work.
IPtables rules to block connections will work.

Basically it's up to the OP to choose. I do worry that you end up with a lot of DNS zones or rules. The web filter may be the best option.

Something else to consider:
Companies are starting to catch on to these ways of blocking. Microsoft makes sure that the "telemetry" (read: spying) is sent to the same load balancer IP that also runs windows update and a lot of the office365 and onedrive things. If you block the IP/DNS to kill the telemetry, you also loose a lot of functions you might want. They are also backporting their spyware to win 8(.1) and 7.
 
Yeah I thought blackhole was a special type of zone or something, not just the idea of making a zone not have an entry. But I see how this would work, it's kinda like if I try to do an nslookup for sub.localdomain.loc. The zone localdomain.loc does not have a record for sub, so it just fails immediately. This is faster than redirecting to an IP and then letting it try to connect to a web server.

Is there any technical issue if I do end up creating 1000's of records? I can't imagine so though. As far as having to manage that many records, I will automate that anyway. Basically I'll write an app that goes through a list and generates the zone files. This will be a separate include from my regular local zone files, so I will manage those as normal.

rsq said:
Something else to consider:
Companies are starting to catch on to these ways of blocking. Microsoft makes sure that the "telemetry" (read: spying) is sent to the same load balancer IP that also runs windows update and a lot of the office365 and onedrive things. If you block the IP/DNS to kill the telemetry, you also loose a lot of functions you might want. They are also backporting their spyware to win 8(.1) and 7.
Click to expand...

Yeah I could see this potentially be an issue, especially if say, I want to use google, and they start to use the same servers for spying stuff and do away with subdomains. Like they could do google.com/spyserver/script etc AND use the same IP range as google.com. But for now it seems they typicall use separate sub domains and/or IP ranges so I can do a mixture of blocking domains, and where I need to, block IPs.

This is more just a fun idea at this point anyway, not sure when I'll actually implement it, but I have some ideas to go by at least.
 
You are mixing up "zones" and "records". Every hostname/domain you want to block is a zone that needs to be defined in your named.conf, e.g.

Code: 
zone "google-analytics.com"     { type master; file "views/internal/blackhole"; };
zone "googleadservices.com"     { type master; file "views/internal/blackhole"; };
zone "googlesyndication.com"    { type master; file "views/internal/blackhole"; };
 
If your vlans have separate subnets, you can use views in bind.

EDIT: to specify which blackhole file to server them. In case it wasn't obvious.
 
You must log in or register to reply here.
Back
Top