Generate domain sinkhole (blacklist) files for DNSCrypt & pdnsd DNS servers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

74 lines
3.0 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
  1. # [DNS sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole)
  2. Generate domain sinkhole (blacklist) files for [DNSCrypt](https://github.com/jedisct1/dnscrypt-proxy) and [pdnsd](http://members.home.nl/p.a.rombouts/pdnsd/) DNS servers. Comparable to Pi-Hole, but uses more simple structure without too much overhead. Generated blacklist files can be added to existing DNS server installations.
  3. ![](images/sample.png)
  4. ----------
  5. # Usage
  6. Add blacklists and whitelists as you wish into [the python script](data/dns-sinkhole_gen.py). Once done, run the script with Python 3. The script generates necessary files for you to adapt to your DNS servers.
  7. ----------
  8. # Developer's notice
  9. ## Benefits:
  10. Useful for blocking ads, tracking & telemetry on:
  11. - single device with a DNS server
  12. - on a full network segment if a centralized DNS server is used (multiple devices)
  13. - applies to IoT devices (+ SmartTVs etc.) if traffic is routed via a centralized DNS server applying this sinkhole/blacklist policy
  14. **NOTE (Tor users):** These lists do not work with SOCKS5/HTTP Tor connections, as DNS resolution is done on the Tor exit nodes, not by your DNS server(s).
  15. ### Tested on
  16. ```
  17. Arch Linux (x86_64): DNSCrypt server, pdnsd server
  18. Android (mobile phone, ARMv7): DNSCrypt server
  19. ```
  20. ## About used list formats
  21. ### pdnsd
  22. Although pdnsd offers `neg` feature, it is not very reliable with large DNS blocklists. However, custom `rr` (Resource Record) entries have been tested with a list of over 240 000 blacklisted domains, and it works as expected.
  23. ### DNSCrypt
  24. Although DNSCrypt offers blacklist feature, it is not very reliable with large DNS blocklists. However, cloaking list has been tested with a list of over 240 000 blacklisted domains, and it works as expected.
  25. ----------
  26. ## Basic principle/idea
  27. ### Single device
  28. ![](images/dns-sinkhole_phone.png)
  29. ### Multiple devices
  30. ![](images/dns-sinkhole_network.png)
  31. ----------
  32. ### Detecting malicious network traffic on Android & (embedded) IoT devices
  33. Network analysis is strongly encouraged for mobile phones and (embedded) IoT devices to detect malicious or unwanted connections which are usually taking place without user's knowledge. You can use results of the analysis to build your own DNS sinkhole blacklist for devices or network segments.
  34. You can use `tcpdump` or `wireshark` for network analysis purposes.
  35. Mobile phones: you may consider limiting count of installed applications. More applications you have, more unwanted network traffic may occur.
  36. Be aware that some applications or websites may break if too greedy policy is taken in place. DNS sinkhole works at best with combination of other network filtering/firewall policy applied, as well (application & network/data link layers). Understanding [OSI model](https://en.wikipedia.org/wiki/OSI_model) and/or [TCP/IP protocol stack](https://en.wikipedia.org/wiki/Internet_protocol_suite) helps you to build a proper policy for your network devices.
  37. ----------
  38. # License
  39. This repository uses MIT license. See [LICENSE](LICENSE) file for details.