Advice about DNS

Kernels & Hardware, configuring network, installing services

Advice about DNS

Postby Romina80 » 2019-10-13 20:13

Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards
Romina80
 
Posts: 5
Joined: 2019-10-08 18:31

Re: Advice about DNS

Postby reinob » 2019-10-14 10:01

Romina80 wrote:Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards


I have something similar on my server (for VPN clients), using unbound views.
You can define a view linked to subnet, and then for that view/sub-net include the filters you want.

If you can control your DHCP then you can assign addresses in different subnets to different (types of) devices.
reinob
 
Posts: 736
Joined: 2014-06-30 11:42

Re: Advice about DNS

Postby reinob » 2019-10-14 11:48

.. in case you need an example:

with this in one of the config files:
Code: Select all
server:
 access-control-view: 10.7.0.0/24   "vpn_view"
 access-control-view: 10.200.0.0/24 "vpn_view"

view:
 name: "vpn_view"
 include: "/etc/unbound/adblock.txt"


whenever queries from clients having an address in 10.7.0.0/24 (my openvpn) or 10.200.0.0/24 (my wireguard), then the contents of /etc/unbound/adblock.txt will apply. In my case, that file looks like this:

Code: Select all
local-zone: "101com.com." always_nxdomain
local-zone: "101order.com." always_nxdomain
local-zone: "123found.com." always_nxdomain
...


(the list is taken from pgl.yoyo.org/adservers and is automatically updated every day).

I hope that helps. What's missing is of course the splitting of subnets for different clients, but that's up to you.
reinob
 
Posts: 736
Joined: 2014-06-30 11:42

Re: Advice about DNS

Postby Romina80 » 2019-10-14 13:15

Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?

p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32
Romina80
 
Posts: 5
Joined: 2019-10-08 18:31

Re: Advice about DNS

Postby reinob » 2019-10-15 10:26

Romina80 wrote:Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?


For outbound in unbound :) I don't use any forwarder (it does the recursive resolving itself) so it does normal udp/tcp at port 53. If I wanted encrypted DNS or DNS over TLS/HTTPS I would have to set up an upstream server (Cloudflare or such), but I prefer it this way..

p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32


Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)
reinob
 
Posts: 736
Joined: 2014-06-30 11:42

Re: Advice about DNS

Postby reinob » 2019-10-17 17:37

reinob wrote:Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)


Well I tested it, and checked it in the documentation, which in the section "access-control" states that "The most specific netblock match is used", and this is indeed true.

So you can have things like:
Code: Select all
server:
 access-control-view: 192.168.178.0/24   "view_general"
 access-control-view: 192.168.178.39/32 "view_this_host_only"

view:
 name: "view_general"
 include: "/etc/unbound/adblock_general.txt"

view:
 name: "view_this_host_only"
 include: "/etc/unbound/filter_this_host_only.txt"


and it works beautifully.

I'm actually now-ish setting this up for my global adblock filter including an additional filter for devices used by my children as well as other devices which should be somehow restricted (home office, IoT, etc.) using unbound as the outbound resolver at my ISP router, so that every client which doesn't have a specific DNS setting (i.e. uses whatever DHCP provides), automatically benefits from the ad-blocking.

Of course if a client avoids or overrides DNS then it's not effective, but it does the job well enough :)
reinob
 
Posts: 736
Joined: 2014-06-30 11:42

Re: Advice about DNS

Postby Romina80 » 2019-10-19 11:29

Yes, i found it. Just i've done a mistake. Unbount can't work with stubby , dnsmasq, etc. I mean, Stubby listen on port 53. Anyway, unbound support DNS over LTS like that:
Code: Select all
forward-zone:
        name: "."
        forward-tls-upstream: yes
        ## Cloudflare DNS
        forward-addr: 1.1.1.1@853
        forward-addr: 1.0.0.1@853


So, i don't need Stubby any more.
tcp/udp 53 are blocked outside, 853 inside of my network. Its not easy to bypass my restrictions. I keep an eye on it via tcpdump.
Thank you for you help, appreciate ;)
Romina80
 
Posts: 5
Joined: 2019-10-08 18:31


Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable