1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Safe DNS Project

Discussion in 'Networking & Security' started by Solaris17, May 31, 2017.

  1. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Hey everyone! I am running a usability experiment to see how naive it might be to provide everyday users the ability to browse the internet in a safer manner.

    To accomplish this I am running a public DNS server that is running Pi-Hole with extended definitions.

    This experiment ties in directly with the guide im currently writing here:

    https://www.techpowerup.com/forums/threads/guide-global-network-dns-blacklisting-pi-hole.233545/

    To do this, I am hosting a small virtual server on Digital Ocean. I am using my own funds to give it a shot.

    The Pi-Hole software is free and currently we are here with functionality.

    [​IMG]

    I run some extra definition lists on the PI which caches and remembers its DNS requests, whenever the PI doesnt know something I take this a step further and the forward addresses point to OpenDNS family safe servers. Which according to openDNS block the following:

    The goal of this is simple.

    • Can I or another organization or entity use free products to provide a safer internet to users without charging them a ludicrous amount of money?
    • How effective is it?
    • Can it be done at a low or no cost?
    To answer these questions I would like to invite feedback on the project if you decide to join. I am looking for the following.

    • Response time ok
    • false positives
    • does this inhibit your browsing habits within reason?
    Here are some examples of what this blocks.

    • Telemetry
    • malware domains
    • ad domains
    • pornographic and other none PG domains
    DNS in itself isnt a perfect system, but I would REALLY like to understand how feasible a project like this could be. If you would like to join the DNS server IP in question is this.

    45.55.35.57

    (I currently only route IPV4)
    I DO NOT keep any private or identifying information.
     
    Last edited: Jun 1, 2017
    Caring1, natr0n, DeathtoGnomes and 5 others say thanks.
    10 Year Member at TPU More than 25k PPD
  2. Kursah

    Kursah Moderator Staff Member

    Joined:
    Oct 15, 2006
    Messages:
    10,531 (2.67/day)
    Thanks Received:
    4,717
    Location:
    Missoula, MT, USA
    I'll have to check it out. Thanks for taking the effort to do this. DNS hosting can get complex and I'm curious to see how well your VM holds up. I think forwarding non-authoritative queries to OpenDNS is also a solid move...that's what I've been using as my home site's DNS for years now.

    Solaris DNS Security Services. Kinda has a good ring to it. :toast:
     
    Caring1, rtwjunkie and qubit say thanks.
    10 Year Member at TPU
  3. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Thanks! Its's definitely going to be a technical challenge for certain. I stand to learn alot myself I think from this exercise.
     
    10 Year Member at TPU More than 25k PPD
  4. Kursah

    Kursah Moderator Staff Member

    Joined:
    Oct 15, 2006
    Messages:
    10,531 (2.67/day)
    Thanks Received:
    4,717
    Location:
    Missoula, MT, USA
    I look forward to reading up on your results as well, hopefully this'll be a good lesson in experience and practice. And who knows, you could be the next authoritative DNS filtering service out there if you really get into it. :)
     
    10 Year Member at TPU
  5. Halo3Addict

    Joined:
    Aug 3, 2016
    Messages:
    58 (0.16/day)
    Thanks Received:
    27
    Pi-Hole claims to block ads in phone apps as well :eek:
    Hmm.. but I do like porn
    How can anyone make these kinds of decisions with confidence.

    I took a look at your other thread, is it finished? It seems to end abruptly.
     
  6. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Not yet soon! Lots of data to cover.

    how do you mean?
     
    Last edited: May 31, 2017
    10 Year Member at TPU More than 25k PPD
  7. DeathtoGnomes

    DeathtoGnomes

    Joined:
    Jul 16, 2014
    Messages:
    1,331 (1.20/day)
    Thanks Received:
    711
    Location:
    SE Michigan
    Will this be for a browser add-on or standalone?
     
  8. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    This is just a DNS server. This is not like extensions and add-ons I will be going more into this in the guide im writing. They function in the same basic way, but add-ons can sometimes modify webpages so you cant "see" where an add would be. DNS servers cannot do this.
     
    10 Year Member at TPU More than 25k PPD
  9. DeathtoGnomes

    DeathtoGnomes

    Joined:
    Jul 16, 2014
    Messages:
    1,331 (1.20/day)
    Thanks Received:
    711
    Location:
    SE Michigan
    OK so how about using this project so we can add it here instead:

    [​IMG]
     
  10. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    I don't know what that is but this project doesn't include Proxies.
     
    10 Year Member at TPU More than 25k PPD
  11. jboydgolfer

    jboydgolfer

    Joined:
    Oct 17, 2012
    Messages:
    5,907 (3.39/day)
    Thanks Received:
    8,143
    Location:
    Massachusetts
    So this would just be added to my DNS list in my Asus router firmware? Then id be using your server?
     
  12. Kursah

    Kursah Moderator Staff Member

    Joined:
    Oct 15, 2006
    Messages:
    10,531 (2.67/day)
    Thanks Received:
    4,717
    Location:
    Missoula, MT, USA
    You could add it to your NIC in Windows, to your Router's DNS, to your DHCP server (server or router) to hand out to devices.

    What I would recommend is using OpenDNS or GoogleDNS as a secondary DNS server just to make sure DNS is resolving should a failure or outage from adjustment occur. I imagine Sol will do his best to maintain maximum uptime though.

    For those not entirely familiar with what DNS is, check out the video below.



    Simply put, DNS is the yellow pages of the Internet, it takes an IP address, puts an A-Record on it (www.google.com) and when you type that in your browser, you see Google.com, but you're taken to the IP address that is resolved from the DNS server you got the information from. There's A LOT more depth to it, but on the face if it, not all that complex with the simple execution of DNS.

    So when you use a service like Solaris DNS or OpenDNS, you're getting DNS services just like your ISP provides, or Google, or even your router/server for your LAN. But the exception here, is filtered DNS services block entries and requests that are known to be bad, malicious or containing certain content that has been chosen to be filtered, instead, redirecting you to a page that explains the situation of that site not being permitted to be accessed. This can be huge for home and business security and is a great mitigation to localized security deployments and web filters.

    DNS won't block everything and isn't actively modifying itself, it is very much managed in record keeping, like a rolodex or directory. Every address has a record that tells a computer where that address is supposed to point. So if someone wants to make Warez.com to go a DNS Site Blocked page instead of its actual page, they simply update the record. If you're using their DNS server, you get the blocked page. If you use ISP DNS services, you can get to that page properly and potentially infect your PC or worse.

    DNS management can be a lot of busy work depending on how it is managed, and it should be busy work if properly managed because there's too much happening and changing to have nothing to do IMHO. So Sol could be quite busy with this, I'll have to look further into his deployment methods and see how he is managing DNS records and updates. Regardless, we need more services like this out there and I appreciate a fellow TPU-er testing and offering such a service for all of us to test and use.

    I'm sure Sol can do a better job of explaining this project a nutshell, I just felt inclined to donate my 2 cents to make sure folks have an opportunity to better understand what the point is here. :)
     
    Caring1 and Solaris17 say thanks.
    10 Year Member at TPU
  13. jboydgolfer

    jboydgolfer

    Joined:
    Oct 17, 2012
    Messages:
    5,907 (3.39/day)
    Thanks Received:
    8,143
    Location:
    Massachusetts
    yeah i use that currently, but i was thinking that solaris was looking for "testers" & id gladly lend a hand to that end if it is what was being asked:toast:
     
    Solaris17 and Kursah say thanks.
  14. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Yup thats it! or you can do so in windows by going to your network settings. Remember this is an experiment! If you run into any odd issues let me know!

    You bet but better safe than sorry of course!
     
    Kursah says thanks.
    10 Year Member at TPU More than 25k PPD
  15. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    [​IMG]

    So far going well. Performance is great and the box isnt loaded at all. She does in between 50-60k DNS requests a day with the people onboard.

    Notable mentions. A few servers are running it in a business setting. Its going well.

    Other mentions. Shame on MS. some of the telemetry domains tie in with things like Windows updates. Dont want pop-up ads in apps? no problem. but you also cant have updates.
     
    Caring1 and Kursah say thanks.
    10 Year Member at TPU More than 25k PPD
  16. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Fighting my first DDoS DNS amplification attack.

    In the wee hours of the morning last night I was logging into my sister server that I also run the same project on. This server specifically is more than just a few numbers. This one has an actual domain name attached to it.

    Upon logging in I discovered this.
    [​IMG]

    Excited it was getting some use I glanced over at the users. Several domains and IPs were showing up. However something caught me off guard. The queries blocked had not changed much which is odd of DNS queries of this magnitude. The graph also took a different turn skyrocketing in what appeared to be minutes.

    I decided to dig in to the query logs and found that these "users" were making thousands of queries a min to a domain called leth.cc. After a quick visit it appeared to be innocent enough, however it also didn't seem popular enough to warrant the connections.

    I decided to take a further look and ran a search on the domain. someone else had also noted that they were getting thousands of DNS queries to the same domain. My first thought was that this might be some kind of gaming network. Possibly some kind of multiplayer card game or something. This still struck me as odd since they would certainly have there own infrastructure and would not rely on 3rd party DNS server like my own to support them. Looking into them further revealed they were nothing of the sort.

    At this point I was looking at numbers around 1million. Then something occurred to me. This wasn't an oddity or a lucky send off for what could be a successful DNS service built from my desk. This was a reflection attack and I was sending thousands of unsolicited DNS queries to some random website.

    Having already been in the middle of my company's maintenance window and working on company infrastructure on top of being exhausted I decided to do the only thing I had the energy left to do. I blocked the URL preventing the requests from reaching the host. While I was probably one one of hundreds or thousands of open DNS servers targeting this poor companies website I certainly wasn't going to let that statistic continue. My server wasn't breathing too heavy even with these numbers and legit queries weren't slowed, I black listed the site and started off to bed. My ending numbers looked like this.

    [​IMG]

    In the morning the company is open for a few hours so I have a small window in which I don't need to worry about my infrastructure. I decided to take a look at DNS server to see what the damage was.

    I don't have pictures but the attack had continued over night. from around 1:30AM EST to 8:30AM EST I had generated more than 5.3 million blocked queries 99% of them being this one domain.

    By this time things had started to get bad. The system was still very much responsive but disk I/O was high causing all lookups to take an abnormally long time. almost a full second. This meant the browsing experience was slow since the cached lookups were having a hard time responding. The amount of queries coming in per second was causing expiration times to not matter. They were being added faster than they were being purged.

    At tis point in time I had a choice. My upstream provider had not caught this and as such was not being filtered. I had blocked forwards to that specific domain so I was no longer contributing to whatever attack they may be under. However my own services were starting to suffer because of the attack.

    A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:

    • Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
    • Limit my EDNS packets to 512bytes (They normally carry LARGE data sets)
    • Limit my query times per requestor
    • Block ANY requests via DNS
    • IDS/IPS blacklist hosts
    All of this would help mitigate the issue however some of it was too deep for me to jump into right away given this service is currently providing for a few key test clients.

    To temporarily fix this I had to change its nature from a free/open DNS service to a private service.

    To do this I had to deny all port 53 (DNS) access on my firewall and instead get the specific IPs (thankfully static) of my clients and whitelist those as being able TO access port 53.

    This worked immediately and queries dropped. However I now need to go into how to properly secure the server from being abused since I already make sure the clients are safe.

    The internet is a scary place when you look at the logs. MAybe it was providing a domain name to the server itself that made it so easily found by bots?

    THIS DID NOT AFFECT THE SERVER DISPLAYED ABOVE
     
    FordGT90Concept, Kursah and dorsetknob say thanks.
    10 Year Member at TPU More than 25k PPD
  17. DeathtoGnomes

    DeathtoGnomes

    Joined:
    Jul 16, 2014
    Messages:
    1,331 (1.20/day)
    Thanks Received:
    711
    Location:
    SE Michigan
    AFAIK, which really aint much here, if you can block duplicate, before the "ANY", requests per [*insert* time frame] that may help reduce a few numbers without being too limiting. If you can trace the source of requests, I dont why you cant add specific IPs to your blacklisting, even if temporary.
     
  18. Solaris17

    Solaris17 Creator Solaris Utility DVD

    Joined:
    Aug 16, 2005
    Messages:
    19,003 (4.36/day)
    Thanks Received:
    5,829
    Location:
    Florida
    Its been a few months and I got some of the data I need. For now I am going to shut this project down. Thanks to all who participated!
     
    10 Year Member at TPU More than 25k PPD

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)