Quick n' Fancy DNS Ad- and Mal- ware Blocker

Details
0
0
0
s2sdefault

While quick, this sure ain't dirty... Unlike many vendors' 'URL Filtering' solution, this effect not just basic web browsing, but ANY protocol that needs to resolve any kind of domain name to an IP. Now THAT'S Fancy!

Let's take a look at a Sophos UTM 9 Gateway, for example (we could likely do the same for Checkpoint or Juniper or Cisco or...). With these 'typical' URL Filtering solutions, the user tries to browse to a website, the gateway intercepts that TCP Port 80 HTTP request, takes a look at the URL in that packet, and blocks/allows accordingly. While a very good solution for TCP Port 80 HTTP traffic (and TCP Port 443 HTTPS), it is limited to that traffic, and nothing more. While this can help curb the quantity of Ads seen in Web Browsers, it has it's potential limitation with Malware.

For example, let's take an imaginary piece of malware that I will make up as we got for the sake of this discussion. Now let's say that one of it's tasks is to call home and create a tunnel of sorts (SSH, HTTP/S, VPN, DNS, etc...). If the creator of said malware was REALLY stupid, they would simply hard-code home's IP Address, but that would really stupid, and that's the way these things work. In much more likelyhood, they'll hard-code some kind of DNS-resolvable name, and use that to create said tunnel to the proper IP Address. A typical URL Filtering solution might catch the HTTP/S traffic, but can do nothing about the rest. Sure, a properly crafted firewall rulebase might help, but what if the infected device actually needs SSH (or VPN, etc...) access to the outside world? Then what? How could you block that? From a firewall rulebase and URL Filtering perspective, there is nothing that can be done; that SSH (or VPN, etc...) traffic will establish, and the malware will call home and work its evil magic...

Enter: this DNS Server.

Based on Pi-Hole

Sure, the Pi-Hole project is primarily targeted for the use on a Raspberry Pi, but mine are all already in use, and their existing WebUIs conflict with this one, so I can't use them. Fortunately, it is entirely compatible with any olde Debian install, it even checks and installs all necessary dependencies. A few addtional features/reasons:

  • a nice WebUI
  • custom Black/White List
  • t gets the "bad" Domain names from multiple sources, including my favored one at https://github.com/StevenBlack/hosts
  • there's a "search" in the WebUI that will allow me to check if a Domain name is on any of the lists
  • easily updated and upgraded

So off to build we go!

  1. Start with a simple debian net-install
  2. Create a VM with a mere 3.5-4GB HDD, 512MB RAM, 1 CPU, nothing more needed, and this would would allow for an effective but lightweight 'server', and be easily backed-up VM on a single DVD
  3. When prompted, select just SSH Server and Standard System Utilities, none of the others are needed
  4. Pick a working mirror, let it install and update
    https://www.debian.org/mirror/list
    http://mirror.debian.org/status.html
    • This might take some time, it is pulling all packages from the internet, rather than installing from the CD/DVD/ISO as we are typically used to
  5. Log in as root
  6. Install additional utilities
    # apt-get install dnsutils tcpdump sudo curl
  7. install Pi-Hole
    # curl -sSL https://install.pi-hole.net | bash
  8. Set a cronjob to update the domains lists every 3am
    # crontab -e
    • add line:
      0 3 * * * pihole -g
  9. Update the list right now to ensure it will work
    # pihole -g
  10. Add your user to the sudoers file
    # nano /etc/sudoers
    • add line:
      <user> ALL=(ALL) NOPASSWD: ALL
  11. Set a new password for the WebUI
    # pihole -a -p <password>
    • Note: Be careful with the special characters, they don't all work as expected
  12. Log in to the WebUI:
    http://<ip address>/admin
  13. Make sure you configure what you want your DNS Server to have as IT'S DNS Servers in the 'Settings'.
  14. Once you have it all installed and set up, there are a few ways you can make use of it:
    1. If you have access to your DHCP Server (your home router if that's what you are using), you can change the DHCP settings to provide your new DNS Server's IP Address as the DNS Server, instead of the home router. This will allow you to see which of your devices are performing which DNS lookups, and gain that kind of deeper insight into your traffic.
    2. Alternatively, you can simply set your home router's DNS server to your new DNS Server's IP. While this may be a bit quicker and easier, all the DNS Requests will source from that router, so while the DNS resolution would be just as effective, you would be not able to "track" the original source of the DNS requests.
    3. If you are using static IPs and static configurations, just point those DNS requests to your new DNS Server.
    4. If you're doing something wild and WAY out-of-the-box, just make sure your DNS requests get sent to your new DNS Server
  15. And there you have it, a Quick n' Fancy DNS Ad- and Mal- ware Blocker

Granted, you can probably get some fancier, enterprise-grade DNS products for a pretty penny, and sure they might have fancier features and arguably tighter/better security... But for home use, or even a Guest WiFi network or small business, and for free, you can't ask for a much better solution than this!

Add comment

Security code
Refresh

0
0
0
s2sdefault