We are happy to announce that Threat shield has been empowered with DNS blacklist .

Thanks to @giacomo and @edoardo_spadoni for the great work

DNS blacklist

Threat shield already protects your NethServer by blocking all connections from/towards malicious IP addresses… From now on you can add and extra layer of protection by blocking DNS requests to malicious domains.

DNS blacklist is implemented as a DNS sinkhole and uses Pi-Hole FTLDNS under the hood. All DNS requests are redirected to the DNS sinkhole that, in case of malicious domain, returns 0.0.0.0 instead of the real IP address associated to the domain.

Threat shield Cockpit application has been refactored to include the new feature. The old Settings page is now called IP blacklist, and a new page DNS blacklist has been added to the menu:

threat-shield-menu657×547 29.7 KB

For the sake of simplicity, the new DNS blacklist page looks a lot like IP blacklist page:

dns-blacklist-page1462×767 57.5 KB

You have UI controls to:

• Enable the blacklist
• Set the GIT URL where blacklisted domains and blacklist categories will be downloaded from (more info below)
• Set the network zones where DNS blacklist is enabled
• Allow certain hosts or CIDR subnets to bypass DNS proxy

At the bottom of the page you can choose which categories of domains should be blocked. The list of categories is retrieved by the GIT repository set in Download URL.

Dashboard

Dashboard page now provides an overview on current status of IP and DNS blacklists and displays graphical information about blocked attacks. DNS blacklist statistics provides:

• Today’s total number of threats blocked
• Today’s total number of DNS requests
• Today’s threats percentage
• Top 10 clients performing most DNS requests
• Top 10 blocked domains
• Top 10 requested domains

dashboard-dns-blacklist1510×433 74.7 KB

Analysis

Analysis page has been redesigned to allow you to analyze both IP and DNS blacklist activity, providing:

• prettified logs about blocked IP connections or DNS requests
• a tool to check if a domain or an IP address is currently blocked by IP or DNS blacklist

logs1500×947 94.2 KB

check-result945×570 41.7 KB

Logs

You can access DNS blacklist raw logs accessing Logs page and selecting /var/log/pihole-FTL.log

DNS blacklist repository

The set of malicious domains is retrieved from a GIT repository. This repository is organized in one or more .dns files, and each of them represents a blacklist category.
A category file includes:

• a list of malicious domains (one per line)
• meta-data about the blacklist category, such as the name of the maintainer, the type of domains listed (e.g. ads, malware, …) and the level of confidence (an estimate of false-positives frequency)

NethServer Community users can use (and possibly maintain ) this URL: https://github.com/NethServer/dns-community-blacklist.

NethServer Enterprise users have access to highly reliable professional-grade DNS blacklists provided by Yoroi.

How to install

Threat shield with DNS blacklist feature is available in nethserver-testing repository:

yum install --enablerepo=nethserver-testing nethserver-blacklist

Try it and let us know what you think about it, any feedback is welcome!

The package has been released!

Anybody wants to give it a try @elleni @pike @pagaille @Carnyx @mrmarkuz @sharpec @capote?

After a crash on production, I’ve retired the package to further inspect the problem.

The package is still available on testing and feedback is more than welcome!

I tested on my Neth home gateway, it’s running since yesterday and it’s working as expected so far.

Released with some more fixes!

hi @giacomo, is it safe to install it on a nethserver enterprise?
should it break something with YOROI Threat Shield?

I woould like to test it…

Really nice work, folks. Thank you.

Yes, it’s available since today

Of course not, it’s the same package! You can than select the blacklist source between YOROI (if you have the subscription for it) or the community blacklist.

I get lots if internal IP adresses in the threadshield log. Is Thread shield really only monitoring external traffic?

What is the sequence of the several plugins like IPS, Thread shield and fail2ban? If IPS filters something does it still get to fail2ban and Threat Shield? Which comes first?

It inspect all traffic. Search for blacklist inside iptables -nvL to see the positioning.
You see internal IPs inside the log as destination or source of the blocked packaged. But the trigger for the block is the the public IP inside the blacklist, not the internal one.

→ Threat shield (iptables) → IPS (suricata) → fail2ban (logs)

Thanks for the explanation.

My configuration is

Internet <-> (public ip) provider Router (NAT into to transfer net IP 192.168.xx.1)<-> (192.168.xx.2) Nethserver (192.168.yy.2) <-> internal LAN (192.168.yy.0/24)

Is there a problem that for Nethserver the “internet” begins at the internal transfer net 192.168.xx.1 and thread shields detect “forbidden” traffic from unroutable net 192.168.xx.0 and creates log entries for that?

I updated the list in my own repo. More info here: Modified dns-community-blacklist to add more dns blacklist of several types

How do I whitelist an address? Since my domain Registrar is blocked by this list.

There is no such function. If a domain is inside a list, you need to modify the list to remove it.

Too bad, it would have been a useful function. And without it it is impossible to use these lists

Therefore

DNS blacklist is implemented as a DNS sinkhole and uses Pi-Hole FTLDNS

…
it makes more sense for me to use the original within a dedicated PiHole-Server within my LAN