Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Advice about DNS
Re: Advice about DNS
I have something similar on my server (for VPN clients), using unbound views.Romina80 wrote:Hello, guys. I need advice about DNS solution. First of all, let's explain what i'm planning to do.
I have a debian 10 router with 192.168.1.0/24 On this network, i've got different divevices like Android, Linux, Windows with perm IPs. So, i'm looking for solution how to block *facebook.com for all devices except those at linux. Also, how to block twitter.com from all device including the router. I don't really need a fast response time, so any solutions are welcome. Is this possible via BIND9, unbound, something aese and how? tcp/udp 53 are blocked (incoming/outgoing with drop) from outside, because the router getting DNS over LTS via Stubby.I mean, /etc/resolv.conf contain " nameserver 127.0.0.1" and is write protected.Is this problem from the future BIND9 or any DNS server on the same machine? So, like a result i would like to be able to block any domain to one or more IPs in my local network 192.168.1.0/24 Of course, outside (on WAN) to be encrypted DNS traffic only.
Regards
You can define a view linked to subnet, and then for that view/sub-net include the filters you want.
If you can control your DHCP then you can assign addresses in different subnets to different (types of) devices.
Re: Advice about DNS
.. in case you need an example:
with this in one of the config files:
whenever queries from clients having an address in 10.7.0.0/24 (my openvpn) or 10.200.0.0/24 (my wireguard), then the contents of /etc/unbound/adblock.txt will apply. In my case, that file looks like this:
(the list is taken from pgl.yoyo.org/adservers and is automatically updated every day).
I hope that helps. What's missing is of course the splitting of subnets for different clients, but that's up to you.
with this in one of the config files:
Code: Select all
server:
access-control-view: 10.7.0.0/24 "vpn_view"
access-control-view: 10.200.0.0/24 "vpn_view"
view:
name: "vpn_view"
include: "/etc/unbound/adblock.txt"
Code: Select all
local-zone: "101com.com." always_nxdomain
local-zone: "101order.com." always_nxdomain
local-zone: "123found.com." always_nxdomain
...
I hope that helps. What's missing is of course the splitting of subnets for different clients, but that's up to you.
Re: Advice about DNS
Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?
p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32
p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32
Re: Advice about DNS
For outbound in unbound :) I don't use any forwarder (it does the recursive resolving itself) so it does normal udp/tcp at port 53. If I wanted encrypted DNS or DNS over TLS/HTTPS I would have to set up an upstream server (Cloudflare or such), but I prefer it this way..Romina80 wrote:Its kind of solution, thanks. I have to figure out how to do it and via unbound and BIND9. In BIND9, i found a similar solution. By the way, how you getting a DNS outside? Plain text via ctp/udp at port 55 or encrypted?
Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)p.c. Its looks nice and easy. I ges just for one IP i can use mask 32 - like 192.168.5.6/32
Re: Advice about DNS
Well I tested it, and checked it in the documentation, which in the section "access-control" states that "The most specific netblock match is used", and this is indeed true.reinob wrote: Hopefully it should work. Don't know what happens if you have a mask for 1, like 192.168.5.6/32 but then another (broader) mask for the rest (like 192.168.5.6/24). It may give an error, make the right thing (first /32 then /24) or do the wrong/random thing. You'll need to test it :)
So you can have things like:
Code: Select all
server:
access-control-view: 192.168.178.0/24 "view_general"
access-control-view: 192.168.178.39/32 "view_this_host_only"
view:
name: "view_general"
include: "/etc/unbound/adblock_general.txt"
view:
name: "view_this_host_only"
include: "/etc/unbound/filter_this_host_only.txt"
I'm actually now-ish setting this up for my global adblock filter including an additional filter for devices used by my children as well as other devices which should be somehow restricted (home office, IoT, etc.) using unbound as the outbound resolver at my ISP router, so that every client which doesn't have a specific DNS setting (i.e. uses whatever DHCP provides), automatically benefits from the ad-blocking.
Of course if a client avoids or overrides DNS then it's not effective, but it does the job well enough :)
Re: Advice about DNS
Yes, i found it. Just i've done a mistake. Unbount can't work with stubby , dnsmasq, etc. I mean, Stubby listen on port 53. Anyway, unbound support DNS over LTS like that:
So, i don't need Stubby any more.
tcp/udp 53 are blocked outside, 853 inside of my network. Its not easy to bypass my restrictions. I keep an eye on it via tcpdump.
Thank you for you help, appreciate
Code: Select all
forward-zone:
name: "."
forward-tls-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
tcp/udp 53 are blocked outside, 853 inside of my network. Its not easy to bypass my restrictions. I keep an eye on it via tcpdump.
Thank you for you help, appreciate