Fincer
/
dns-sinkhole
mirror of https://github.com/Fincer/dns-sinkhole
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
Generate domain sinkhole (blacklist) files for DNSCrypt & pdnsd DNS servers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
1 Branch
7.0 MiB
Tree: 25c8e56519
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '25c8e56519'
${ noResults }
dns-sinkhole/README.md

100 lines
4.9 KiB
Raw Normal View History

Update README.md
5 years ago
Initial commit
5 years ago
Update README.md
5 years ago
Initial commit
5 years ago
README: add note about hosts file
5 years ago
Initial commit
5 years ago
README: Formatting
5 years ago
Initial commit
5 years ago
Add material about the basic idea of this setup
5 years ago
README: fix link typo
5 years ago
Add material about the basic idea of this setup
5 years ago
README: add network analysis section
5 years ago
README: add info about hosts file usage
5 years ago
README: more text
5 years ago
README: add info about hosts file usage
5 years ago
README: more text
5 years ago
README: add info about hosts file usage
5 years ago
README: fix typo
5 years ago
README: add info about hosts file usage
5 years ago
README: more text
5 years ago
README: add info about hosts file usage
5 years ago
Initial commit
5 years ago
 
  1. # [DNS sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)

  2. 

  3. Generate domain sinkhole (blacklist) files for [DNSCrypt](https://github.com/jedisct1/dnscrypt-proxy) and [pdnsd](http://members.home.nl/p.a.rombouts/pdnsd/) DNS servers. Comparable to Pi-Hole, but uses more simple structure without too much overhead. Generated blacklist files can be added to existing DNS server installations.
  4. 

  5. ![](images/sample.png)
  6. 

  7. ----------
  8. 

  9. # Usage

  10. 

  11. Add blacklists and whitelists as you wish into [the python script](data/dns-sinkhole_gen.py). Once done, run the script with Python 3. The script generates necessary files for you to adapt to your DNS servers.
  12. 

  13. ----------
  14. 

  15. # Developer's notice

  16. 

  17. ## Benefits:

  18. 

  19. Useful for blocking ads, tracking & telemetry on:
  20. 

  21. - single device with a DNS server
  22. 

  23. - on a full network segment if a centralized DNS server is used (multiple devices)
  24. 

  25. - applies to IoT devices (+ SmartTVs etc.) if traffic is routed via a centralized DNS server applying this sinkhole/blacklist policy
  26. 

  27. **NOTE (Tor users):** These lists do not work with SOCKS5/HTTP Tor connections, as DNS resolution is done on the Tor exit nodes, not by your DNS server(s).
  28. 

  29. **NOTE:** This method may not work if device's `hosts` file is modified so that it overrides accepted DNS policy.
  30. 

  31. ### Tested on

  32. 

  33. ```
  34. Arch Linux (x86_64):           DNSCrypt server, pdnsd server
  35. Android (mobile phone, ARMv7): DNSCrypt server
  36. ```
  37. 

  38. ## About used list formats

  39. 

  40. ### pdnsd

  41. 

  42. Although pdnsd offers `neg` feature, it is not very reliable with large DNS blocklists. However, custom `rr` (Resource Record) entries have been tested with a list of over 240 000 blacklisted domains, and it works as expected.
  43. 

  44. ### DNSCrypt

  45. 

  46. Although DNSCrypt offers blacklist feature, it is not very reliable with large DNS blocklists. However, cloaking list has been tested with a list of over 240 000 blacklisted domains, and it works as expected.
  47. 

  48. ----------
  49. 

  50. ## Basic principle/idea

  51. 

  52. ### Single device

  53. 

  54. ![](images/dns-sinkhole_phone.png)
  55. 

  56. ### Multiple devices

  57. 

  58. ![](images/dns-sinkhole_network.png)
  59. 

  60. ----------
  61. 

  62. ### Detecting malicious network traffic on Android & (embedded) IoT devices

  63. 

  64. Network analysis is strongly encouraged for mobile phones and (embedded) IoT devices to detect malicious or unwanted connections which are usually taking place without user's knowledge. You can use results of the analysis to build your own DNS sinkhole blacklist for devices or network segments.
  65. 

  66. You can use `tcpdump` or `wireshark` for network analysis purposes.
  67. 

  68. Mobile phones: you may consider limiting count of installed applications. More applications you have, more unwanted network traffic may occur.
  69. 

  70. Be aware that some applications or websites may break if too greedy policy is taken in place. DNS sinkhole works at best with combination of other network filtering/firewall policy applied, as well (application & network/data link layers). Understanding [OSI model](https://en.wikipedia.org/wiki/OSI_model) and/or [TCP/IP protocol stack](https://en.wikipedia.org/wiki/Internet_protocol_suite) helps you to build a proper policy for your network devices.
  71. 

  72. ----------
  73. 

  74. ## Why not just a simple hosts file??

  75. 

  76. Of course, you can apply DNS sinkhole list to your device's `hosts` file (Linux: `/etc/hosts`, Android: `/system/etc/hosts`, Windows: `C:\Windows\System32\Drivers\etc\hosts`). However, there are some benefits and some drawbacks:
  77. 

  78. **Benefits of `hosts`**:
  79. 

  80. - _Simple setup_: no software installation or compilation
  81. 

  82. - _No DNS server required_: thus no extra configuration/software overhead or server-specific security risks
  83. 

  84. **Drawbacks of `hosts`**:
  85. 

  86. - _Does not scale_: does not apply to a network segment or segments for which you want to block specific domain names. Applies only to single devices.
  87. 

  88. - _No extra security_, such as enforced DNS-over-HTTPS*, proxy configurations**, DNSSEC*** verification or any other useful detailed configuration, provided by a properly configured DNS server
  89. 

  90. `*` By default, domain name lookups are done via privileged UDP port 53, and DNS queries are unencrypted. Thus, anyone between you and remote DNS server can read the domain name lookups your applications request. With [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS), all DNS queries are wrapped in encrypted packets, sent through (HTTPS) TCP port 443 and thus making your DNS queries unknown by others excluding you and the remote DNS server.
  91. 

  92. `**` You can enforce DNS queries through a proxy, such as via a server of your choice or via [Tor network](https://en.wikipedia.org/wiki/Tor_(anonymity_network))
  93. 

  94. `***` You can set-up DNS server of your choice to use enforced [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) policy. In other words, if a rogue, remote DNS server to which your DNS query (domain name lookup) is pointed to, breaks DNSSEC chain, the query is being left unanswered.
  95. 

  96. ----------
  97. 

  98. # License

  99. 

  100. This repository uses MIT license. See [LICENSE](LICENSE) file for details.