[kwlug-disc] DNS Black Hole server

B.S. bs27975.2 at gmail.com
Fri May 19 10:07:33 EDT 2017 

On 05/19/2017 02:28 AM, Chamunks wrote:
> I mostly was just curious about the overlap, I've always wanted
> something to blackhole things from the IP blacklist
> https://www.iblocklist.com/

Peerguardian Linux has been doing this for quite some time. Works very
well, I run it on all systems.
https://sourceforge.net/projects/peerguardian/ Martians, bogons,
bluetack list (equivalents), much more.

Even if a DNS query goes through, nothing will be talking to those IPs.

> I think a nice bonus round would be to potentially do something that
> uses DNS Crypt also with potentially a local server so that not only
> are your queries encrypted but are also stored locally rather than
> having to query someone else as often.  But maybe I am too tired at
> the moment and should not email about DNS blackholes while slipping
> into dreamland.

That's just having your own DNS server. Or using TOR. And presumes a
public DNS server willing to receive crypted queries.

On 05/19/2017 12:24 AM, Ronald Barnes wrote:
> Chamunks wrote on 2017-05-18 10:27 PM:
> 
>> https://pi-hole.net/
> 
> Yes, sounds very nice, but requires a Pi, and another tiny issue:
> does not reveal one's WAN-side IP.

No Pi required. Most any system.
https://discourse.pi-hole.net/t/hardware-software-requirements/273 Seems
several repositories, even.

On 05/19/2017 12:23 AM, Ronald Barnes wrote:
> B.S. wrote on 2017-05-18 11:15 PM:
> 
>> Interesting.

I meant pi-hole.

> And, of course, works for all devices on the LAN if set as primary
> DNS on router; even guests with obscure devices would benefit without
> any configuration of those devices.

That's true for any iptables / dns based blacklisting.

I believe there's also multiple solutions for redirecting DNS queries to
one's preferred server. They're just port 53 destined packets, after all.

Lots of solutions out there for getting your WAN IP. Even mon will
trigger an alert at lack of connectivity or connectivity change.


On 05/19/2017 08:14 AM, Raymond Chen wrote:
> pi-hole looks awesome. I'll give it a shot on!
> 
> On Fri, May 19, 2017 at 2:28 AM, Chamunks <chamunks at gmail.com>
> wrote:
> 
>> I mostly was just curious about the overlap, I've always wanted
>> something to blackhole things from the IP blacklist
>> https://www.iblocklist.com/
>> 
>> I think a nice bonus round would be to potentially do something
>> that uses DNS Crypt also with potentially a local server so that
>> not only are your queries encrypted but are also stored locally
>> rather than having to query someone else as often.  But maybe I am
>> too tired at the moment and should not email about DNS blackholes
>> while slipping into dreamland.
>> 
>> On Fri, May 19, 2017 at 12:25 AM Ronald Barnes
>> <ron at ronaldbarnes.ca> wrote:
>> 
>>> Chamunks wrote on 2017-05-18 10:27 PM:
>>> 
>>>> https://pi-hole.net/
>>> 
>>> Yes, sounds very nice, but requires a Pi, and another tiny issue:
>>> does not reveal one's WAN-side IP.
>>> 
>>> 
>>> 
>>> Also doesn't help me learn Python nor DNS query header
>>> internals.
>>> 
>>> But if I had a Pi, I'd certainly look at pi-hole.
>>> 
>>> 
>>> Cheers,
>>> 
>>> rb

More information about the kwlug-disc mailing list