using DNS to block entire domain's for entire LAN

[wardr]

When I discovered amahi and it's DNS network solution, i was estatic. I have been wanting to streamline my DNS into 1 interface to use for my entire network for ages. Along the way I've tried some limited stopgap approaches like:

1. hosts file on each device : VERY ineffective. Not only are you limited to one device and then have to set up some kind of rigged up script file to propogate that file to your other devices (some don't even use a hosts file like idevices). But worse than that this file has no ability to truly block subdomains. So if I block http://www.doubleclick.net and doubleclick.net on computerA, if I receive an ad that comes in as ad1.doubleclick.net, the hosts file passes this through because I didn't include ad1 in my file. This method completely sucks and is no good.

2. changed my DNS name servers to opendns.org : mostly ineffective. The only difference this made for me was that I can get some nice DNS reports at their website and the phish scam blockage is nice too I guess. But as far as truly blocking entire domains from my LAN it's limited. You are offered a limited number of domains you can block. But some domains (such as yahoo.com or yahoodns.com) don't work because they have a contract with opendns apparently.

3. Browser approaches like adblock plug-in and others : mostly ineffective. Again we are only working with 1 browser within 1 device... hardly the streamlined approach I am shooting for. This isn't even worth discussing because 1 browser on 1 device isn't going to cut it. I want to block any domain I want and have that work along my entire LAN network. Next.

4. using my router : okay results. This is clunky and doesn't really seem as robust as I would like. I don't have a top-line router it's okay but mostly average (TL Link 1043nd). Plus this method doesn't have anything to do with the DNS server, I think it just supposedly "blocks" the domain. I haven't had too much luck figuring this out.

Bottom line: I just want to be able to tell the DNS server a domain (such as yahoo.com or amazon.com - if I wanted to, it's up to me) and have it block the domain and all it's nasty children from ever appearing on my internal network ever again. This doesn't seem like a very complicated thing yet I see no solution for it anywhere in any capacity anywhere on the internet.

Can we accomplish this with amahi dns or what?

[bigfoot65]

Try customizing OpenDNS. Get an account and there are parental controls that may meet your needs. Since Amahi uses OpenDNS this should work.

A third party app on the client may work as well.

[ Post made via Android ]

[cpg]

We used to have this feature early on. It complicated things substantially, yet not that many people wanted this feature.

I'm with you that I would like that feature!

[wardr]

bigfoot: see my #2 above. Already am using opendns, but they limit you on what you can block and the number of blocks you can set-up. I rather keep it in-house.

cpg: surprising! to me this kind of feature is huge. Yet you're right I don't really see a big push for it in any forum anywhere on the internet for any kind of service whether it be public dns name servers like opendns or setting up your own server like amahi, nothing. Are most people clueless to the traffic they generate with even just surfing to 1 webpage? Simply opening your browser and typing in "www.bestbuy.com" or whatever that alone generates a huge amount of traffic, a bunch of crap much of which you don't want or need to be a part of.

I actually just recently figured out my computer has a trojan/backdoor rootkit installed on it on my windows 8 set-up. Iv'e tried everything to get rid of this thing and any and all attempts I make to stop it just makes it get worse. In my losing effort I've kept open wireshark and did a bunch of tcpdump's just seeing what kind of traffic is generated and what's going on. If I had the ability to stop this thing on the backend by simply blocking all the IP's that it trys to connect to I would be able to keep my data safe. But there isn't really any true quick and solid way to do that.

Luckily I have a 50 gigabyte partition on my computer formatted to ext4 with linuxmint installed on it that I really wasn't using that often and kind of forgot about. It's a duel boot, so I'm able to use my computer but still clueless on how to get that thing out of my windows machine. It might even of infected some of hte devices on my network I'm not sure at this point.

[bigfoot65]

Did not realize there were limits with OpenDNS. Might require a pay subscription to get more, not sure.

Anyway as far as the virus, try MalwareBytes Anti Malware. It's free and does a good job. I have used it often in the past with success. If you pay for a subscription to it, you get real time blocking. I have seen it in action. Went to a web site and it immediately caught the nasty virus/script and blocked it

[jaybea]

I have been looking into this as well. I use a blocklist in Outpost firewall on my Windows PCs, and generate the Blocklist from Bluetack data. This is quite a labour intensive option, as I have to update each machine individually and does not work with my Linux machines or for other devices (phones and tablets) accessing my network. Centralising all of this would on the HDA make things much easier and more secure.

There are ways of achieving the same using BIND to direct requests to sites on a blacklist to either localhost or to a local webpage - this could be a page on the HDA webserver. For example, have a look at the post here, which describes using BIND with a blacklist. Here is another example, using a different blocklist and a slightly different approach.

One problem on the HDA is that named.conf is generated by the HDA and any user modifications would be over-written. I have also seen a few comments that BIND is excessively complicated for most uses and that DJBDNS is much easier to understand and use. I wonder how easy it would be to move to DJBDNS on the HDA, either for individual HDAs or generally? It looks like recent versions of DJBDNS have built-in blocklist support with a flexible format for the file containing the IP addresses to be blocked.

[jaybea]

From reading the Wiki posting and from studying hdactl, it looks like an option could be added to load a blocklist by adding an additional if statement to hdactl to load a specific blocklist file, which users could provide. The code to add the include named.conf.local is below - a similar line could add "/etc/blocked-malware.conf/" if it exists:

Code: Select all

if (-e '/etc/blocked-malware.conf') { printf $hda "include \"/etc/blocked-malware.conf\";\n"; }

A simple script, run daily could download a new version of the blocklist (making changes to the format as required) and restart BIND. In addition to the changes to hdactl, you would need to add the zone file for the blocked zone directing users to a blocked message page, created as a web app on the HDA.

I will see if I can get this up and running later in the week, and post the results if successful.

[jaybea]

I have mostly got a solution working that achieves the OP's desire to be able to block a individual domain - you can block as many sites as you want by added additional lines to named.conf.local as detailed below. The only element that is not working fully is directing requests to a web-app on my HDA which displays a message saying the site is not accessible.

Firstly, I created the file named.conf.local. This contains the details of the websites that I want to block access to and directs requests for them to the zone file which handles the redirection (testsite*.com could be facebook.com or badsite.net):

Code: Select all

zone "testsite1.com" { type master; file "/var/named/blockeddomain.hosts"; }; zone "testsite2.com" { type master; file "/var/named/blockeddomain.hosts"; };

I then created the actual zone file (/var/named/blockeddomain.hosts) which redirects the requests to the page I set up on my HDA (replace "yourhda.com" with your hda's name):

Code: Select all

$TTL 604800 @ IN SOA blocked.yourhda.com. blocked.yourhda.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS blocked.yourhda.com. * IN A 192.xxx.xxx.50

Finally, I created a new webapp (blocked.yourhda.com) and created a simple index.html page with a message saying that access to the site is blocked.

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> Access to this website has been blocked by the Administrator because it is known to host harmful or dangerous software. </body> </html>

I had to manually edit my named.conf file to include named.conf.local - although this line will be added by hdactl, I was not sure how to get this to run, and restarting named on its own was not sufficient to add it. Next time hdactl runs, this include line will be replaced by the automatically generated one.

Code: Select all

zone "xxx.xxx.192.in-addr.arpa" IN { type master; notify no; file "dynamic/hda-a2n.conf"; allow-update { key ddnskey; }; check-names ignore; }; include "/etc/named.conf.local"; # << THIS IS THE INCLUDE LINE INSERTED # NOTE, you can create a file /etc/named.conf.local and it will be automatically included here! # WARNING - you better not break the format though! };

Finally, I restarted named (sudo service named restart). When I then tried to reach the addresses the sites I had added, I am directed back to the login page of my HDA, rather than the error page I set up, which is a partial success.

Does anyone have any suggestions how to solve the problem of directing requested to the blocked/ page I created on my HDA? Once I have that done, I can write up these instructions for the Wiki.