Filter DNS queries with Blocky
Blocks
The Domain Name System (DNS) puts you in a position to contain the spread of malware and prevent suspicious activities within your corporate network and, with appropriate filters on your DNS server, prevent user tracking and advertising on websites. Moreover, researchers at the University of Bonn have shown that almost 20 percent of HTTP requests load advertising content and that blocking these ads reduces the power consumption of terminal devices [1].
Blocky, a DNS proxy and ad blocker for local networks, has been under active development by German developer Dimitri Herzog since January 2020 and is available on GitHub. The tool lets you effectively filter domains on the basis of blacklists and whitelists or regular expressions. The filters can differ to match the groups on your local network (e.g., different filter rules can be implemented in different departments).
Blocky supports the DNS over HTTPS (DoH) protocol described by RFC 8484 [2], which was published three years ago. The idea behind DoH is to boost the privacy of the querying users. After encrypting the HTTP query by the Transport Layer Security (TLS) protocol, requested domains are no longer revealed by sniffing unencrypted DNS packets. With DoH – in contrast to DNS over TLS (DoT; specified in RFC 7858) [3], with DNS packets themselves encrypted by TLS – even the DNS query as such can no longer be immediately identified if the DNS service provider also delivers classic web pages over the same port.
If you go to the Blocky website [4], you can download the sources, written in the Go programming language, and compile the project yourself. However, the binary for the tool is a useful alternative if you want to take a look at Blocky first without installing an extensive Go development environment. Even easier, you can choose the Docker image that is also provided and simply launch Blocky in a container.
If you want to use your own domain names on your local network, Blocky lets you resolve internal names yourself or forward corresponding requests to other DNS servers. Here, too, you can configure different upstream resolvers, depending on the requesting client, or forward requests to different resolvers each time. By default, Blocky does not collect any information about requesting clients or domain names.
Blocking Queries
To test Blocky, start the Docker container on an available Linux server and configure it as the DNS server for your computer. Before launching, you need to prepare a simple configuration file named config.yml
. For example, you could set up common DNS servers as the upstream and the domain blacklist from abuse.ch
[5] (Listing 1) and then launch Blocky with the command:
docker run --name blocky-v ./config.yml:/app/config.yml-p 4000:4000-p 53:53/udp spx01/blocky
Listing 1
config.yml
upstream: default: - 8.8.4.4 - 8.8.8.8 - 9.9.9.9 blocking: blackLists: ads: - https://urlhaus.abuse.ch/downloads/hostfile/ clientGroupsBlock: default: - ads port: 53 httpPort: 4000
Remember that privileged ports usually can only be used by the root user.
After starting the container, call http://localhost:4000 in your browser for a link to the API documentation and the Go profiler. To query Blocky's current status in the API, use http://localhost:4000/api/blocking/status . The output will be a JSON string with the requested information. To test Blocky's functionality, simply call a URL from the blacklist. You can enter the address in the browser, but then you have to change the DNS resolver for your browser or system. For example, if the 6fz.one domain is on your blacklist, you could simply enter:
dig 6fz.one @localhost
You would expect 0.0.0.0 to be returned as Blocky's IP address, as shown in Listing 2.
Listing 2
dig Results
; <> DiG 9.16.15 <> 6gz.one @localhost ;; global options: +cmd ;; got answer: ;; ->HEADER<- opcode: QUERY, status: NOERROR, id: 61020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;6fz.one. IN A ;; ANSWER SECTION: ;;6fz.one 21600 IN A 0.0.0.0 ;; Query time: 0msec ;; SERVER: ::1#53(::1) ;; WHEN: Do Sep 23 17:16:53 CEST 2021 ;; MSG SIZE rcvd: 41
Versatile Configuration
The Blocky configuration file lets you to do far more than I have shown so far. For example, you can specify TLS certificates to allow Blocky to serve queries by DoH without error. The URL for DoH queries with the TLS certificate for your domain is then https://<domain>:4000/dns-query . By specifying other groups (default is the group for clients not included in any other group), you can also use other upstream DNS resolvers for specific clients or on the basis of the queried domain. If need be, you can change the default response from 0.0.0.0 to NXDOMAIN , which signals to the requestor that the domain is not accessible by DNS at all.
Conclusions
Blocky offers many ways to secure your network with a DNS resolver. In this article, I showed you how to install Blocky and work with some of the wide variety of configuration options, which are explained further in Blocky's clear-cut documentation.
Infos
- Energy consumption through displays: https://www.researchgate.net/publication/336086817_The_environmental_impact_of_online_advertisement
- RFC 8484: https://datatracker.ietf.org/doc/html/rfc8484
- RFC 7858: https://datatracker.ietf.org/doc/html/rfc7858
- Blocky: https://github.com/0xERR0R/blocky
- abuse.ch: https://abuse.ch
Buy this article as PDF
(incl. VAT)