Denis Machard

My technical gists

Infrastructure architect by profession but always consider himself as a developer and an open source enthusiast.
@github @mastodon @rss
powerdns dnsdist dns security

Temporarily block domains with DNS notify with DNSdist

A DNSdist configuration example to block or unblock domains temporarily and in a dynamic way with DNS notify. This example is volatible, a restart of the dnsdist will erase the blocklist. If you want to keep the blocklist even after restart, you can refer to the post blackhole/spoofing domains with external files

DNSdist configuration

In the following example, DNSdist will forward all incoming queries to 1.1.1.1 by default. Before that, an action is defined to check if the domain must be refused or not.

The full dnsdist.conf example:

The latest version of the configuration can be downloaded from github.

-- basic config with one backend for test purpose only
setLocal("0.0.0.0:53", {})
newServer({address = "1.1.1.1:53", pool="default"})

-- Creates a new SuffixMatchNode: https://dnsdist.org/reference/config.html?highlight=newsuffixmatchnode
local blackholeDomains = newSuffixMatchNode()

-- function to add or remove domain from the suffixMatchNode
local function onRegisterDomain(dq)
    if blackholeDomains:check(dq.qname) then
        infolog("removing domain: " ..  dq.qname:toString() .. " from blacklist")
        blackholeDomains:remove(dq.qname)
    else
        infolog("blacklisting domain: " ..  dq.qname:toString())
        blackholeDomains:add(dq.qname)
    end
    return DNSAction.Spoof, "success"
end

-- Check if the given qname is a sub-domain of one of those in the set
local function onBlacklistDomain(dq)
    if blackholeDomains:check(dq.qname) then
        return DNSAction.Refused
    else
        return DNSAction.None, ""      -- no action
    end
end

-- register domain to block or unblock from the DNS notify
addAction(OpcodeRule(DNSOpcode.Notify), LuaAction(onRegisterDomain))

-- Refused all domains blacklisted
addAction(AllRule(), LuaAction(onBlacklistDomain))

-- default rule
addAction( AllRule(), PoolAction("default"))

How to block/unblock a domain

To add a domain in the blacklist, you must send a DNS notify to the domain (or a part of) to block.

To block the domain fbcdn.net and all subdomains, use the dig command to send a DNS notify. You can also display the DNSdist logs to see log messages.

$ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
success.

$ sudo docker logs dnsdist
blacklisting domain: fbcdn.net.

To unblock the domain, send again the same DNS notify.

$ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
success.

$ sudo docker logs dnsdist
removing domain: fbcdn.net.

Testing: make some DNS resolutions

Use the dig command on the domain static.xx.fbcdn.net The status of the response is REFUSED because of the blacklist.

$ dig @127.0.0.1 static.xx.fbcdn.net

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 static.xx.fbcdn.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51928
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;static.xx.fbcdn.net.           IN      A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (TCP)
;; WHEN: Sat Aug 12 21:43:41 CEST 2023
;; MSG SIZE  rcvd: 48

Remove the domain fbcdn.net from the blocklist

$ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
success.

$ sudo docker logs dnsdist
removing domain: fbcdn.net. from blacklist

Try again to make the DNS resolution, this time the query is no more refused.

$ dig @127.0.0.1 static.xx.fbcdn.net +short
scontent.xx.fbcdn.net.
163.70.128.23
propulsed by hugo and hugo-theme-gists