OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: chemlud on March 28, 2019, 03:08:12 pm
-
Hi!
Is there an option in suricata to block access to DNS servers via https (e.g. via a list of DNS servers)?
Any other options for blocking DNS over HTTPS below the level of deep package inspection of HTTPS with all its implications?
-
Blocking these hosts would be a good start:
https://dnscrypt.info/public-servers
-
OK, let's do a though experiment, if we want to go down this road. If I were Google or Samsung, I would hardcode the DNS server in the browser, smart TV etc. for ads, "telemetry" and worse. And update the software from time to time, if necessary. Or?
Then blocking some DNS servers via a list of domain names is a first step, but (besides never being close to complete) how long will this list be up to date?
Sounds to me like a perfect target for suricata...
-
This would be something for the suricata mailing list.
-
...way above my pay grade in interwebs stuff and didn't find it on their homepage. Would you post a link to this thread on this list? :-)
-
An IPS cannot block DoH as it should look like normal web traffic. Two things would work:
* Intercept with the proxy and block it when the format is detected via ICAP service (will have a 100% rate, but not work in many cases like 3rd party devices)
* Block the DoH resolver IPs via PF (blacklists tend to be incomplete)
-
Many thanks for reply!
Could you enlighten my on
"Block the DoH resolver IPs via PF "? How would that work? :) An alias with host names and IPs to be blocked, as they provide DNS over HTTPS (let's start with 8.8.8.8, 9.9.9.9, 1.1.1.1 and the other usual suspects) and a floating block rule with this alias?
Black lists will always tend to be incomplete, but that's the same with malware C&C sites etc. But somebody would have to have "honeypots" (running IoT, Chrome browser, Firefox, Samsung TVs and alike) to collect the DNS requests for HTTPS DNS servers. That could be the suricata network, or? ;-)
-
You need a list, perhaps there is a managed one
-
Is this only me who is interested in this topic? Large companies do their HTTPS proxy stuff and can filter on this, OK, but what about smaller companies interested in a decent control of network flows?
Are they completely lost or should they do HTTPS proxy as well?
-
Large companies pay thousands of $ for such products. If Open Source can achieve everything there would be no need for these :)
Have you tried Sensei plugin?
-
...read about sensei the last days, but not there yet ;-)
Don't want to further increase complexity, if possible, so suricata was my first hope.
-
Super interesting topic, at this moment I am using:
- IP and DNS blocking from public lists for malware and ads.
- my DNS server, blocking request to other DNS servers from LAN.
- Suricata.
Unfortunately all this will not block DNS over HTTPS...
-
Yeah, that's why my evil friends at Google and their friends like it that much. I have started some time ago to take away HTTP and HTTPS completely from some nets and have classical "browsing" only in dedicated subnets with machines reached via tunnels/VNC.
But if you want to control what your browser does, DNS over HTTPS is a real pain with no solution in sight, except playing little NSA and starting to open the whole HTTPS. With TLS 3.0 this will only be possible with this European "light" TSL 3.0 "standard". Doesn't look good at the moment...
-
I had to take some counter measure after Mozilla added DoH by default on browsers so I used that public resolvers list to block any trafic from LANs to IPs... and one of the offenders caught is a smart tv LG with latest firmware that already had blocked one of LG DNS used for advert: lgsmartad.com
this time tv is using: dns.google.com port: 443
https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json
@chemlud
do you have any other resolver list or ideas ?
-
hi 3k,
no, no specific list here yet. I disable DoH in Firefox manually in about:config, setting network.trr.mode to "0"
https://wiki.mozilla.org/Trusted_Recursive_Resolver
How did you translate the linked .json file to an Alias for opnsense? :-)
-
I think you have to change the value to 5 to complete disable DoH on mozilla browser
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
I saved the list and used good old and slow method with gedit to search and replace strings and end result with IPv4 and dns I imported in an alias.
-
yepp, you're right, "5" is the better option. And I removed the trr.uri as well...
Sure IPv4 is enough? Although I disabled IPv6 completely, I see IPv6 adresses, routes etc all over the place in my senses...
PS: in 60.6.1 ESR the option "5" kills off DNS completely for FF, no pages can be loaded at all. Strange...
-
No problems with option 5 on my Linux with Firefox Quantum 66.0.2.
I also disabled IPV6 on my firewalls and more than this I also tampered with source and deleted any IPv6 port opening, listening, reference ...
here it is another sources for DoH:
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
https://en.wikipedia.org/wiki/Public_recursive_name_server
here it is my first list I use, feel free to change, correct, add:
# Public resolvers list with DoH 10-04-2019 v0.0.1 LLC
dns-gcp.aaflalo.me
35.231.69.77
dns.aaflalo.me
176.56.236.175
176.103.130.132
176.103.130.130
dns-family.adguard.com
176.103.130.132
dns.adguard.com
176.103.130.130
139.59.16.130
178.128.255.28
dns.dnscrypt-tupi.org
191.252.100.35
139.59.48.222
51.15.106.176
208.67.220.220
208.67.220.123
185.228.168.10
185.228.168.168
185.228.168.9
dns.cloudflare.com
1.1.1.1
1.0.0.1
commons.host
8.20.247.2
77.51.181.209
81.17.31.34
128.127.104.108
213.163.64.208
185.107.80.84
185.117.118.20
5.133.8.187
185.212.169.139
185.94.193.234
212.129.46.32
195.154.40.48
109.71.42.228
103.16.27.53
5.254.96.195
178.175.139.211
109.248.149.133
82.163.72.123
84.16.240.43
89.163.214.174
162.221.207.228
167.114.84.132
173.234.159.235
173.234.56.115
104.238.195.139
64.120.5.251
198.7.58.227
209.58.147.36
64.42.181.227
155.254.29.113
23.19.67.116
104.255.175.2
93.95.226.165
41.79.69.13
209.250.235.170
199.167.130.118
199.167.128.112
77.66.84.233
176.56.237.171
167.86.90.103
45.76.35.212
doh.dnscrypt.nl
108.61.199.170
139.59.200.116
108.61.201.119
159.69.198.101
doh2.dnswarden.com
159.69.16.58
doh1.dnswarden.com
94.130.183.18
doh-de.blahdns.com
159.69.198.101
doh-jp.blahdns.com
108.61.201.119
doh.cleanbrowsing.org
doh.crypto.sx
104.28.0.106
ibksturm.synology.me
178.82.103.5
23.111.74.216
23.111.69.126
205.185.116.116
edns.233py.com
47.101.136.37
wdns.233py.com
118.24.208.197
sdns.233py.com
119.29.107.85
ndns.233py.com
114.115.240.175
dns.google.com
216.58.215.110
jp.gridns.xyz
172.105.241.93
sg.gridns.xyz
139.162.3.123
178.82.103.5
149.28.152.81
doh.tiar.app
45.32.105.4
194.132.32.32
180.131.144.144
195.10.195.195
142.4.204.111
142.4.205.47
doh.powerdns.org
136.144.215.158
doh.seby.io
45.76.113.31
106.51.128.78
dns.quad9.net
149.112.112.112
dns9.quad9.net
9.9.9.9
9.9.9.10
149.112.112.9
149.112.112.10
173.82.232.232
dns.rubyfish.cn
118.89.110.78
ea-dns.rubyfish.cn
uw-dns.rubyfish.cn
212.47.228.136
146.185.167.43
doh.securedns.eu
146.185.167.43
163.172.180.125
178.216.201.222
51.158.106.42
37.221.195.181
107.170.57.34
77.88.8.78
5.189.170.196
151.80.222.79
78.47.64.161
mozilla.cloudflare-dns.com
104.16.249.249
cloudflare-dns.com
104.16.111.25
doh.dns.sb
185.222.222.222
185.184.222.222
dns.dnsoverhttps.net
104.236.178.232
dns.dns-over-https.com
45.77.124.64
doh.appliedprivacy.net
37.252.185.229
-
Wow, an IPv6-free opnsense! Nice project, others would be interested, too, I guess ;-)
Is there an easy way to close ports on opnsense for IPv6 DHCP and other stuff apparently running?
I added some more (some are DNS over TLS (too))
# Public resolvers list with DoH 10-04-2019 v0.0.1 LLC
#Surfnet
145.100.185.15
145.100.185.16
145.100.185.17
145.100.185.18
dns.larsdebruin.net
51.15.70.167
securedns.eu
dns-tls.bitwiseshift.net
81.187.221.24
ns1.dnsprivacy.at
94.130.110.185
ns2.dnsprivacy.at
94.130.110.178
dns.bitgeek.in
139.59.51.46
#Lorraine Data Network
80.67.188.188
dns.neutopia.org
89.234.186.112
#Tenta
99.192.182.200
66.244.159.200
99.192.182.100
66.244.159.100
dns.233py.com
#DNS Warden
116.203.70.156
116.203.35.255
getdnsapi.net
185.49.141.37
#UncensoredDNS
89.233.43.71
#Fondation RESTENA
158.64.1.29
dns.google.com/resolve
216.58.214.110
dns-gcp.aaflalo.me
35.231.69.77
dns.aaflalo.me
176.56.236.175
176.103.130.132
176.103.130.130
dns-family.adguard.com
176.103.130.132
dns.adguard.com
176.103.130.130
139.59.16.130
178.128.255.28
dns.dnscrypt-tupi.org
191.252.100.35
139.59.48.222
51.15.106.176
208.67.220.220
208.67.220.123
185.228.168.10
185.228.168.168
185.228.168.9
dns.cloudflare.com
1.1.1.1
1.0.0.1
commons.host
8.20.247.2
77.51.181.209
81.17.31.34
128.127.104.108
213.163.64.208
185.107.80.84
185.117.118.20
5.133.8.187
185.212.169.139
185.94.193.234
212.129.46.32
195.154.40.48
109.71.42.228
103.16.27.53
5.254.96.195
178.175.139.211
109.248.149.133
82.163.72.123
84.16.240.43
89.163.214.174
162.221.207.228
167.114.84.132
173.234.159.235
173.234.56.115
104.238.195.139
64.120.5.251
198.7.58.227
209.58.147.36
64.42.181.227
155.254.29.113
23.19.67.116
104.255.175.2
93.95.226.165
41.79.69.13
209.250.235.170
199.167.130.118
199.167.128.112
77.66.84.233
176.56.237.171
167.86.90.103
45.76.35.212
doh.dnscrypt.nl
108.61.199.170
139.59.200.116
#BlahDNS
108.61.201.119
159.69.198.101
doh2.dnswarden.com
159.69.16.58
doh1.dnswarden.com
94.130.183.18
doh-de.blahdns.com
159.69.198.101
doh-jp.blahdns.com
108.61.201.119
doh.cleanbrowsing.org
doh.crypto.sx
104.28.0.106
ibksturm.synology.me
178.82.103.5
23.111.74.216
23.111.69.126
205.185.116.116
edns.233py.com
47.101.136.37
wdns.233py.com
118.24.208.197
sdns.233py.com
119.29.107.85
ndns.233py.com
114.115.240.175
dns.google.com
216.58.215.110
jp.gridns.xyz
172.105.241.93
sg.gridns.xyz
139.162.3.123
178.82.103.5
149.28.152.81
doh.tiar.app
45.32.105.4
194.132.32.32
180.131.144.144
195.10.195.195
142.4.204.111
142.4.205.47
doh.powerdns.org
136.144.215.158
doh.seby.io
45.76.113.31
106.51.128.78
dns.quad9.net
149.112.112.112
dns9.quad9.net
9.9.9.9
9.9.9.10
149.112.112.9
149.112.112.10
173.82.232.232
dns.rubyfish.cn
118.89.110.78
ea-dns.rubyfish.cn
uw-dns.rubyfish.cn
212.47.228.136
146.185.167.43
doh.securedns.eu
146.185.167.43
163.172.180.125
178.216.201.222
51.158.106.42
37.221.195.181
107.170.57.34
77.88.8.78
5.189.170.196
151.80.222.79
78.47.64.161
mozilla.cloudflare-dns.com
104.16.249.249
cloudflare-dns.com
104.16.111.25
doh.dns.sb
185.222.222.222
185.184.222.222
dns.dnsoverhttps.net
104.236.178.232
dns.dns-over-https.com
45.77.124.64
doh.appliedprivacy.net
37.252.185.229
Source:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
https://www.privacy-handbuch.de/handbuch_93.htm
PS: do you simply copy/paste the list to an Alias? I never tried IIRC...
-
I was looking into this issue this morning and came across this: https://github.com/bambenek/block-doh
Do you think this approach could help control DoH?
-
I think in this way the race can hardly be won. Blocking lists are a nice start, but who will keep them up-to-date. No idea how to filter DoH traffic efficiently... :-(
-
I realise this is an older topic, but starting from the public resolver list https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json, you could these commands as a cron job:
curl -sk https://download.dnscrypt.info/dnscrypt-resolvers/json/public-resolvers.json| jq '.[].addrs' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"| sort -n| uniq > /tmp/public_resolvers; pfctl -t public_resolvers -T replace -f /tmp/public_resolvers
(untested)
(jq syntax stolen from https://community.checkpoint.com/t5/Next-Generation-Firewall/How-to-deal-with-DNS-over-HTTPS-DNS-over-TLS-QUIC-and-PSOM/td-p/11528)
-
I'd forgotten about this thread, I've been using a firewall alias:
-
Could you share the URL you're using as a source?
-
Could you share the URL you're using as a source?
Sorry, sure it's https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt from https://discourse.pi-hole.net/t/doh-dns-over-https-ip-block-list-s/30393