Advice about DNS

[Romina80]

Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards

[reinob]

Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards

I have something similar on my server (for VPN clients), using unbound views.
You can define a view linked to subnet, and then for that view/sub-net include the filters you want.

If you can control your DHCP then you can assign addresses in different subnets to different (types of) devices.

[reinob]

.. in case you need an example:

with this in one of the config files:

Code: Select all

server:
 access-control-view: 10.7.0.0/24   "vpn_view"
 access-control-view: 10.200.0.0/24 "vpn_view"

view:
 name: "vpn_view"
 include: "/etc/unbound/adblock.txt"

whenever queries from clients having an address in 10.7.0.0/24 (my openvpn) or 10.200.0.0/24 (my wireguard), then the contents of /etc/unbound/adblock.txt will apply. In my case, that file looks like this:

Code: Select all

local-zone: "101com.com." always_nxdomain
local-zone: "101order.com." always_nxdomain
local-zone: "123found.com." always_nxdomain
...

(the list is taken from pgl.yoyo.org/adservers and is automatically updated every day).

I hope that helps. What's missing is of course the splitting of subnets for different clients, but that's up to you.

[Romina80]

Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?

p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32

[reinob]

Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?

For outbound in unbound :) I don't use any forwarder (it does the recursive resolving itself) so it does normal udp/tcp at port 53. If I wanted encrypted DNS or DNS over TLS/HTTPS I would have to set up an upstream server (Cloudflare or such), but I prefer it this way..

p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32

Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)

[reinob]

Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)

Well I tested it, and checked it in the documentation, which in the section "access-control" states that "The most specific netblock match is used", and this is indeed true.

So you can have things like:

Code: Select all

server:
 access-control-view: 192.168.178.0/24   "view_general"
 access-control-view: 192.168.178.39/32 "view_this_host_only"

view:
 name: "view_general"
 include: "/etc/unbound/adblock_general.txt"

view:
 name: "view_this_host_only"
 include: "/etc/unbound/filter_this_host_only.txt"

and it works beautifully.

I'm actually now-ish setting this up for my global adblock filter including an additional filter for devices used by my children as well as other devices which should be somehow restricted (home office, IoT, etc.) using unbound as the outbound resolver at my ISP router, so that every client which doesn't have a specific DNS setting (i.e. uses whatever DHCP provides), automatically benefits from the ad-blocking.

Of course if a client avoids or overrides DNS then it's not effective, but it does the job well enough :)

[Romina80]

Yes, i found it. Just i've done a mistake. Unbount can't work with stubby , dnsmasq, etc. I mean, Stubby listen on port 53. Anyway, unbound support DNS over LTS like that:

Code: Select all

forward-zone:
        name: "."
        forward-tls-upstream: yes
        ## Cloudflare DNS
        forward-addr: 1.1.1.1@853
        forward-addr: 1.0.0.1@853

So, i don't need Stubby any more.
tcp/udp 53 are blocked outside, 853 inside of my network. Its not easy to bypass my restrictions. I keep an eye on it via tcpdump.
Thank you for you help, appreciate