So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably… and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.
Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.
Happy to share my config if there is interest.
I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I’m leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.
Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.
All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.
“Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.” 100%, I decided to break up my posts into sub components of the total stack, but to your point currently im enforcing a deny all inbound and outbound at the host level, as the network is shared with the fam and they are not ready for that level of learning (pain, lol)
I just learned about unbound, didnt realize it had a blocklist capability so thats great to know. Gotta dig into it.
I like that last bit, blocking DoT except for the one approved path. Much like TLS 1.3 it offers insider threat protection against inspection. So with that in mind when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right? Thats what I am doing now as well, though I am not actively blocking it yet. Just currently enabling and testing feasibility on a single host to see the performance and operational impacts of privacy/security implementations.
Curious to your IDS solution, I gotta dig into opnsense. I know about it, its been around a long time, but havent touched it in so long I cant remember its capabilities.
Wrt lan deny all for the fam, it’s mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.
Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That’s gonna get most ppl what they need.
I do ASN based allows for certain applications like Google, Facebook, etc.
For consoles they’re pretty locked down so just give them full allow to the Internet. I don’t do that actually but it’s probably the better way.
IOT devices get only the ports they need to the IPs they need.
No I mean my unbound resolves DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.
Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT’d to the unbound server. You can’t redirect TLS attempts so those get hard blocked.
Securicata is what opnsense uses. Pretty easy to set up.