Blocking specific TLD

Started by Vilhonator, May 19, 2023, 05:54:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 19, 2023, 05:54:06 PM
Don't know how many are aware, but google just released bunch of new TLDs (or at least started advertise them) couple of days ago.

Among those TLDs were .zip (yes, DOT ZIP) and .mov TLDs. So my question is, is there a way to setup alias to collect all .zip domains or setup unbound to block them?
May 19, 2023, 06:34:24 PM #1
From what little I've seen the only way to do so involves either messing with the unbound config files or running a different/additional dns server.

Your best bet is to put in a feature request for it.
May 19, 2023, 07:43:47 PM #2 Last Edit: May 19, 2023, 07:45:24 PM by lilsense
I use pihole to do this with regex. :)

something like this:
\.(zip|mov)$
May 20, 2023, 12:00:29 PM #3
Quote from: lilsense on May 19, 2023, 07:43:47 PM
I use pihole to do this with regex. :)

something like this:
\.(zip|mov)$

Yea that was first thing I looked into, but I'm looking for option to block something that runs on my OpnSense, since I would have to un-install OpnSense and replace it with something that supports pi-hole and that's not going to happen.

Might have to check if SNORT or Suricata has that option
May 20, 2023, 12:32:56 PM #4
no need to uninstall OPNsense. you can install bhyve and run a pihole vm on the OPNsense similar to the OpenWRT discussion on this forum.

ref:
Bhyve on OPNsense for virtualization in 2023
HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP
May 20, 2023, 10:16:00 PM #5
How can this be done without installing pihole?
May 21, 2023, 06:23:03 AM #6
Easiest way in unbound is create domain override for 'zip' and point it to blackhole.

In AdGuardHome you can put this in Filter>Custom filtering rules:
Code Select
||*.zip^
May 28, 2023, 04:12:48 PM #7
I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
June 01, 2023, 04:27:28 PM #8
Quote from: JasMan on May 28, 2023, 04:12:48 PM
I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).

Nice.  I like it.
June 06, 2023, 12:20:54 AM #9
Thx for the solution!

Quote from: JasMan on May 28, 2023, 04:12:48 PM
I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).
Print
Go Up Pages1
User actions