Threat shield: DNS blacklist

We are happy to announce that Threat shield :shield: has been empowered with DNS blacklist :no_entry: .

Thanks to @giacomo and @edoardo_spadoni for the great work :+1:

DNS blacklist

Threat shield already protects your NethServer by blocking all connections from/towards malicious IP addresses… From now on you can add and extra layer of protection by blocking DNS requests to malicious domains.

DNS blacklist is implemented as a DNS sinkhole and uses Pi-Hole FTLDNS under the hood. All DNS requests are redirected to the DNS sinkhole that, in case of malicious domain, returns 0.0.0.0 instead of the real IP address associated to the domain.

Threat shield Cockpit application has been refactored to include the new feature. The old Settings page is now called IP blacklist, and a new page DNS blacklist has been added to the menu:

For the sake of simplicity, the new DNS blacklist page looks a lot like IP blacklist page:

You have UI controls to:

  • Enable the blacklist
  • Set the GIT URL where blacklisted domains and blacklist categories will be downloaded from (more info below)
  • Set the network zones where DNS blacklist is enabled
  • Allow certain hosts or CIDR subnets to bypass DNS proxy

At the bottom of the page you can choose which categories of domains should be blocked. The list of categories is retrieved by the GIT repository set in Download URL.

Dashboard

Dashboard page now provides an overview on current status of IP and DNS blacklists and displays graphical information about blocked attacks. DNS blacklist statistics provides:

  • Today’s total number of threats blocked
  • Today’s total number of DNS requests
  • Today’s threats percentage
  • Top 10 clients performing most DNS requests
  • Top 10 blocked domains
  • Top 10 requested domains

Analysis

Analysis page has been redesigned to allow you to analyze both IP and DNS blacklist activity, providing:

  • prettified logs about blocked IP connections or DNS requests
  • a tool to check if a domain or an IP address is currently blocked by IP or DNS blacklist

Logs

You can access DNS blacklist raw logs accessing Logs page and selecting /var/log/pihole-FTL.log

DNS blacklist repository

The set of malicious domains is retrieved from a GIT repository. This repository is organized in one or more .dns files, and each of them represents a blacklist category.
A category file includes:

  • a list of malicious domains (one per line)
  • meta-data about the blacklist category, such as the name of the maintainer, the type of domains listed (e.g. ads, malware, …) and the level of confidence (an estimate of false-positives frequency)

NethServer Community users can use (and possibly maintain :heart: ) this URL: https://github.com/NethServer/dns-community-blacklist.

NethServer Enterprise users have access to highly reliable professional-grade DNS blacklists provided by Yoroi.

How to install

Threat shield with DNS blacklist feature is available in nethserver-testing repository:

yum install --enablerepo=nethserver-testing nethserver-blacklist

Try it and let us know what you think about it, any feedback is welcome!

10 Likes

The package has been released!

Anybody wants to give it a try @elleni @pike @pagaille @Carnyx @mrmarkuz @sharpec @capote? :slight_smile:

4 Likes

After a crash on production, I’ve retired the package to further inspect the problem.

The package is still available on testing and feedback is more than welcome!

1 Like

I tested on my Neth home gateway, it’s running since yesterday and it’s working as expected so far.

2 Likes

Released with some more fixes!

2 Likes

hi @giacomo, is it safe to install it on a nethserver enterprise?
should it break something with YOROI Threat Shield?

I woould like to test it…

1 Like

Really nice work, folks. Thank you.

1 Like

Yes, it’s available since today :slight_smile:

Of course not, it’s the same package! :wink: You can than select the blacklist source between YOROI (if you have the subscription for it) or the community blacklist.

I get lots if internal IP adresses in the threadshield log. Is Thread shield really only monitoring external traffic?

What is the sequence of the several plugins like IPS, Thread shield and fail2ban? If IPS filters something does it still get to fail2ban and Threat Shield? Which comes first?

It inspect all traffic. Search for blacklist inside iptables -nvL to see the positioning.
You see internal IPs inside the log as destination or source of the blocked packaged. But the trigger for the block is the the public IP inside the blacklist, not the internal one.

-> Threat shield (iptables) -> IPS (suricata) -> fail2ban (logs)

1 Like

Thanks for the explanation.

My configuration is

Internet <-> (public ip) provider Router (NAT into to transfer net IP 192.168.xx.1)<-> (192.168.xx.2) Nethserver (192.168.yy.2) <-> internal LAN (192.168.yy.0/24)

Is there a problem that for Nethserver the “internet” begins at the internal transfer net 192.168.xx.1 and thread shields detect “forbidden” traffic from unroutable net 192.168.xx.0 and creates log entries for that?

I updated the list in my own repo. More info here: Modified dns-community-blacklist to add more dns blacklist of several types

1 Like

How do I whitelist an address? Since my domain Registrar is blocked by this list.

There is no such function. If a domain is inside a list, you need to modify the list to remove it.

Too bad, it would have been a useful function. And without it it is impossible to use these lists

1 Like