Photo by Bryan Garces on Unsplash

Photo by Bryan Garces on Unsplash

Filter DNS queries with Blocky

Blocks

Article from ADMIN 68/2022
By
The Domain Name System is repeatedly the target of or is leveraged for attacks on corporate infrastructures; however, it also lets you protect corporate networks against attacks and malware. The Blocky DNS server sets up quickly to secure DNS queries and DNS filtering for corporate networks.

The Domain Name System (DNS) puts you in a position to contain the spread of malware and prevent suspicious activities within your corporate network and, with appropriate filters on your DNS server, prevent user tracking and advertising on websites. Moreover, researchers at the University of Bonn have shown that almost 20 percent of HTTP requests load advertising content and that blocking these ads reduces the power consumption of terminal devices [1].

Blocky, a DNS proxy and ad blocker for local networks, has been under active development by German developer Dimitri Herzog since January 2020 and is available on GitHub. The tool lets you effectively filter domains on the basis of blacklists and whitelists or regular expressions. The filters can differ to match the groups on your local network (e.g., different filter rules can be implemented in different departments).

Blocky supports the DNS over HTTPS (DoH) protocol described by RFC 8484 [2], which was published three years ago. The idea behind DoH is to boost the privacy of the querying users. After encrypting the HTTP query by the Transport Layer Security (TLS) protocol, requested domains are no longer revealed by sniffing unencrypted DNS packets. With DoH – in contrast to DNS over TLS (DoT; specified in RFC 7858) [3], with DNS packets themselves encrypted by TLS – even the DNS query as such can no longer be immediately identified if the DNS service provider also delivers classic web pages over the same port.

If you go to the Blocky website [4], you can download the sources, written in the Go programming language, and compile the project yourself. However, the binary for the tool is a useful alternative if you want to take a look at Blocky first without installing an extensive Go development environment. Even easier, you can choose the Docker image that is also provided and simply launch Blocky in a container.

If you want to use your own domain names on your local network, Blocky lets you resolve internal names yourself or forward corresponding requests to other DNS servers. Here, too, you can configure different upstream resolvers, depending on the requesting client, or forward requests to different resolvers each time. By default, Blocky does not collect any information about requesting clients or domain names.

Blocking Queries

To test Blocky, start the Docker container on an available Linux server and configure it as the DNS server for your computer. Before launching, you need to prepare a simple configuration file named config.yml. For example, you could set up common DNS servers as the upstream and the domain blacklist from abuse.ch [5] (Listing 1) and then launch Blocky with the command:

docker run --name blocky-v ./config.yml:/app/config.yml-p 4000:4000-p 53:53/udp spx01/blocky

Listing 1

config.yml

upstream:
default:
  - 8.8.4.4
  - 8.8.8.8
  - 9.9.9.9
blocking:
  blackLists:
    ads:
     - https://urlhaus.abuse.ch/downloads/hostfile/
  clientGroupsBlock:
    default:
     - ads
port: 53
httpPort: 4000

Remember that privileged ports usually can only be used by the root user.

After starting the container, call http://localhost:4000 in your browser for a link to the API documentation and the Go profiler. To query Blocky's current status in the API, use http://localhost:4000/api/blocking/status . The output will be a JSON string with the requested information. To test Blocky's functionality, simply call a URL from the blacklist. You can enter the address in the browser, but then you have to change the DNS resolver for your browser or system. For example, if the 6fz.one domain is on your blacklist, you could simply enter:

dig 6fz.one @localhost

You would expect 0.0.0.0 to be returned as Blocky's IP address, as shown in Listing 2.

Listing 2

dig Results

; <> DiG 9.16.15 <> 6gz.one @localhost
;; global options: +cmd
;; got answer:
;; ->HEADER<- opcode: QUERY, status: NOERROR, id: 61020
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;6fz.one.                       IN         A
;; ANSWER SECTION:
;;6fz.one            21600      IN         A          0.0.0.0
;; Query time: 0msec
;; SERVER: ::1#53(::1)
;; WHEN: Do Sep 23 17:16:53 CEST 2021
;; MSG SIZE rcvd: 41

Versatile Configuration

The Blocky configuration file lets you to do far more than I have shown so far. For example, you can specify TLS certificates to allow Blocky to serve queries by DoH without error. The URL for DoH queries with the TLS certificate for your domain is then https://<domain>:4000/dns-query . By specifying other groups (default is the group for clients not included in any other group), you can also use other upstream DNS resolvers for specific clients or on the basis of the queried domain. If need be, you can change the default response from 0.0.0.0 to NXDOMAIN , which signals to the requestor that the domain is not accessible by DNS at all.

Conclusions

Blocky offers many ways to secure your network with a DNS resolver. In this article, I showed you how to install Blocky and work with some of the wide variety of configuration options, which are explained further in Blocky's clear-cut documentation.

The Author

Dr. Matthias Wübbeling is an IT security enthusiast, scientist, author, consultant, and speaker. As a Lecturer at the University of Bonn in Germany and Researcher at Fraunhofer FKIE, he works on projects in network security, IT security awareness, and protection against account takeover and identity theft. He is the CEO of the university spin-off Identeco, which keeps a leaked identity database to protect employee and customer accounts against identity fraud. As a practitioner, he supports the German Informatics Society (GI), administrating computer systems and service back ends. He has published more than 100 articles on IT security and administration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus