Denis Machard

My technical gists

Infrastructure background, developer mindset. I build things for pleasure.
    @github @mastodon @rss

    Temporarily block domains with DNS notify with DNSdist

    A DNSdist configuration example to block or unblock domains temporarily and in a dynamic way with DNS notify. This example is volatible, a restart of the dnsdist will erase the blocklist. If you want to keep the blocklist even after restart, you can refer to the post blackhole/spoofing domains with external files

    DNSdist configuration

    In the following example, DNSdist will forward all incoming queries to 1.1.1.1 by default. Before that, an action is defined to check if the domain must be refused or not.

    The full dnsdist.conf example:

    The latest version of the configuration can be downloaded from github.

    -- basic config with one backend for test purpose only
    setLocal("0.0.0.0:53", {})
    newServer({address = "1.1.1.1:53", pool="default"})
    
    -- Creates a new SuffixMatchNode: https://dnsdist.org/reference/config.html?highlight=newsuffixmatchnode
    local blackholeDomains = newSuffixMatchNode()
    
    -- function to add or remove domain from the suffixMatchNode
    local function onRegisterDomain(dq)
        if blackholeDomains:check(dq.qname) then
            infolog("removing domain: " ..  dq.qname:toString() .. " from blacklist")
            blackholeDomains:remove(dq.qname)
        else
            infolog("blacklisting domain: " ..  dq.qname:toString())
            blackholeDomains:add(dq.qname)
        end
        return DNSAction.Spoof, "success"
    end
    
    -- Check if the given qname is a sub-domain of one of those in the set
    local function onBlacklistDomain(dq)
        if blackholeDomains:check(dq.qname) then
            return DNSAction.Refused
        else
            return DNSAction.None, ""      -- no action
        end
    end
    
    -- register domain to block or unblock from the DNS notify
    addAction(OpcodeRule(DNSOpcode.Notify), LuaAction(onRegisterDomain))
    
    -- Refused all domains blacklisted
    addAction(AllRule(), LuaAction(onBlacklistDomain))
    
    -- default rule
    addAction( AllRule(), PoolAction("default"))
    

    How to block/unblock a domain

    To add a domain in the blacklist, you must send a DNS notify to the domain (or a part of) to block.

    To block the domain fbcdn.net and all subdomains, use the dig command to send a DNS notify. You can also display the DNSdist logs to see log messages.

    $ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
    success.
    
    $ sudo docker logs dnsdist
    blacklisting domain: fbcdn.net.
    

    To unblock the domain, send again the same DNS notify.

    $ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
    success.
    
    $ sudo docker logs dnsdist
    removing domain: fbcdn.net.
    

    Testing: make some DNS resolutions

    Use the dig command on the domain static.xx.fbcdn.net The status of the response is REFUSED because of the blacklist.

    $ dig @127.0.0.1 static.xx.fbcdn.net
    
    ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 static.xx.fbcdn.net
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51928
    ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;static.xx.fbcdn.net.           IN      A
    
    ;; Query time: 4 msec
    ;; SERVER: 127.0.0.1#5553(127.0.0.1) (TCP)
    ;; WHEN: Sat Aug 12 21:43:41 CEST 2023
    ;; MSG SIZE  rcvd: 48
    

    Remove the domain fbcdn.net from the blocklist

    $ dig @127.0.0.1 +opcode=notify +tcp fbcdn.net +short
    success.
    
    $ sudo docker logs dnsdist
    removing domain: fbcdn.net. from blacklist
    

    Try again to make the DNS resolution, this time the query is no more refused.

    $ dig @127.0.0.1 static.xx.fbcdn.net +short
    scontent.xx.fbcdn.net.
    163.70.128.23
    
    propulsed by hugo and hugo-theme-gists