[Solved] Add domain name lists as aliases for use in firewall rules

[binaryanomaly]

Hi,

Wouldn't it be nice if one could provide a list of domains to be blocked such as DoH or adserver domains as an alias to be blocked.

It seems to me that functionally speaking almost everything is there
1. loading remote lists like "URL Tables (IPs)"
2. fqdns can be added as "hosts" for blocking

But just not the combination of the above two and maintaining fqdns manually as aliases is cumbersome.
Wouldn't it be possible to combine both capabilities and allow fetching remote fqdn lists for blocking or am I missing something?

I am aware that similar could be achieved with suricata, proxy or dns blocking but none of them would be as practical and effective as being able using fqdns lists in firewall rules.

Thoughts?

[binaryanomaly]

Interestingly this works from cli:

Code Select Expand


sudo pfctl -t H_DoG -T add one.one.one.one doh.dns.sb dnsforge.de dns.google dns.google.com doh.dns.apple.com doh.seby.io dns-nyc.aaflalo.me ibksturm.synology.me fi.doh.dns.snopyta.org doh.cleanbrowsing.org doh.tiarap.org jp.tiarap.org doh.powerdns.org dns.switch.ch digitale-gesellschaft.ch resolver-eu.lelux.fi doh.li dns.aa.net.uk dns.adguard.com dns-family.adguard.com cloudflare-dns.com mozilla.cloudflare-dns.com family.cloudflare-dns.com security.cloudflare-dns.com doh-de.blahdns.com doh-fi.blahdns.com doh-jp.blahdns.com doh.eastus.pi-dns.com doh.westus.pi-dns.com doh.northeu.pi-dns.com doh.centraleu.pi-dns.com doh.familyshield.opendns.com doh.opendns.com doh.dnslify.com doh.xfinity.com dns.rubyfish.cn captnemo.in doh.captnemo.in dns.nextdns.io doh-2.seby.io doh.tiar.app jp.tiar.app doh.42l.fr doh.libredns.gr dns.flatuslifir.is dns10.quad9.net dns11.quad9.net dns9.quad9.net dns.quad9.net dohdot.coxlab.net doh.ffmuc.net ordns.he.net dns.dnsoverhttps.net ibuki.cgnat.net rdns.faelix.net dns.hostux.net applied-privacy.net doh.applied-privacy.net commons.host dns.twnic.tw doh.crypto.sx odvr.nic.cz


Unfortunately I can't use this externally created alias in a fw-rule in the OPNsense UI but technically this should work.
Edit: If I create an alias from within the UI and then populate from cli this does work! 🙌🏻

Which seems to confirm my assumption that only existing capabilities would have to be combined?

[Vilhonator]

You technically can do that allready via ssh and api, you just have to either create a script which adds and removes FQDNS to specific alias, or manually edit alias file itself.

But yes, I agree it would be much more convienient to be able to just create alias via WebGui which does that.

You can also use BIND instead of Unbound on opnsense, it does have support for fetching blocklists published in BIND format. Technically same thing, you just set Blocklist sources website in BIND servers settings.

[binaryanomaly]

Thanks for your feedback.

I just found out that in fact "URL Tables (IPs)" work with lists of fqdns as well such as https://gist.githubusercontent.com/ckuethe/f71185f604be9cde370e702aa179fc2e/raw/53fe52046836ac3009e9505b7b8b8b5de42d84e3/doh-blocklist.txt

Nice - It's a feature not a bug 😉

Maybe someone should update the docs 😎


PS: Using pfctl or editing /usr/local/etc/filter_tables.conf seems not to remain persistent.