DNS related task

[elektroinside]

So, I was thinking...
I never heard of something similar, just came up with this idea, but maybe there's a way to do it.

The environment simplified:
So you got two (or more) DNS servers, each with its own records. Both (or all) might resolve the same hostname or only one of them can resolve the hostname, or none of them can resolve the hostname.

The task:
So you need to query a hostname. I would need a solution to get the resolved hostname ONLY if both (or all configured) servers are able to resolve it. If even one fails, do not resolve the hostname, stop querying the rest of the remaining servers and return the specific error "could not find host..."

Imagine the possibility to combine the power of OpenDNS with Adguard. Or other similar services.

Is it possible with OPNsense?

[bartjsmit]

That's not how DNS is defined - you may of course be able to define a protocol that follows those rules, but it won't be DNS.

Out of interest; what is your use case?

Bart...

[elektroinside]

I know, the goal of a DNS server (or service) is to resolve, not to do the opposite.
Just updated my first post with details

[fabian]

You can use my filter if you like:
https://github.com/fabianfrz/dns

You can load a blacklist into it. Please note that it could be hard to get it running on OPNsense.
It should not be hard to provide a special module doing that (just try to resolve it and if it fails, you can make the request fail too).

[elektroinside]

Thank you!

But if i got it right, from the code, this implies i do have a blacklist defined... which i don't. The services i mentioned (i think) simply don't have a record of the hostnames they try to protect you from. How they maintain this "resolving", i have no idea.

Basically, i don't have a blacklist. In this case, a DNS proxy would not work... I'm not a dev, so i could be wrong (a strong possibility) about the code.

[fabian]

You are right, the blacklist module is using a list of domains. However if you add a file into the modules directory, it will be included automatically and if your class is in the special module, it will be used as a filter. You just have to add some code in the method to check the request. For example, you can query the DNS Server via "Resolv" and then check if it returns an IP.

for example:
https://ruby-doc.org/stdlib-2.5.0/libdoc/resolv/rdoc/Resolv/DNS.html#method-i-getaddress

for example (note: I have not even run it):

Code: [Select]

require 'resolv'
module DNSFilterModule
  class ResolvableCheck
    def initialize(config, logger)
      @config = config
      @logger = logger
      @resolver_cfg = config['ResolvableBy']
      @dns = Resolv::DNS.new(:nameserver => @resolver_cfg['nameserver'] ,:search => @resolver_cfg['search'],:ndots => 1)
    end
    def process(name, res_class, transaction)
      if res_class.to_s.include? '::A'
        begin
          @dns.getaddress(name)
          return
        rescue Resolv::ResolvError => ex
          raise DNSBlockException.new
        end
      end
    end
  end
end

[elektroinside]

I'll try this approach, many thanks!

I was further thinking, wouldn't this be a reasonable marketing point if, say, would be somehow integrated into OPNsense?

It's another thing to maintain, but who knows.

I'm imagining this like a checkbox under Unbound (or Dnsmasq, or System: Settings: General), called, I don't know, "Protection mode" with the description "Combine different DNS services and only return an IP if all o them can resolve the queries".
If checked, it will load the DNS proxy and do just that. Of course, this will naturally mean longer time to get an IP (slower DNS performance overall). But might be worth it.

For example, you can have the customizable power of OpenDNS to block malware and the non-customizable AdGuard servers to block ads under one hood.

[fabian]

I was further thinking, wouldn't this be a reasonable marketing point if, say, would be somehow integrated into OPNsense?

No this is really an edge case...

For example, you can have the customizable power of OpenDNS to block malware and the non-customizable AdGuard servers to block ads under one hood.

You may also be interested in quad 9 if you want a DNS provider filtering malware etc.:
https://www.quad9.net/#/faq

[elektroinside]

Yes, I know about Quad9, quite powerful. There are also others. But there is not one to offer both (malware + ads + why not, other stuff). Each is best doing one specific thing. This is why I still think it's a good idea to combine them somehow. DNS is fast and why block the malware or ad if you can block the source directly. Why maintain lists and import stuff when there are publicly available free & powerful tools to do just that with the right infrastructure to handle the load.

This may be part of "security through obscurity" mentality, which is better than "trust but verify".

So I think I will try your initial approach, maybe I'll have some amount of success.

Thank you.

[elektroinside]

Another idea would be to get a Raspberry PI (or use a vm), install pi-hole and use one of the malware blocking DNS servers as the upstream servers.

Hmm..

[elektroinside]

Well, an autostarting VM with pi-hole did the trick

[elektroinside]

Curious geek statistics:

My TV queried the (new, hence the statistics) pi-hole DNS server 11.000 (!!) times in the last ~3-4hrs, out of which more than 2.000 where for *.adcolony.com and other ad providers. This is just my TV.
35% of my queries overall in my LAN where blocked (ad & malware as categories, but only ads where blocked), and I only browsed 3-4 websites. Not a single malware anywhere (scanned the files & traffic).

[franco]

Smart TVs don't get smart by doing nothing, eh.... weird.