The can of worms.. DNS FILTERING

Discuss new and miscellaneous projects that don't have a home elsewhere in the forum.
p3rlphr33k
Posts: 5
Joined: Tue Jan 19, 2016 2:01 am

The can of worms.. DNS FILTERING

Postby p3rlphr33k » Tue Jan 19, 2016 2:39 am

I mentioned this is in the IRC channel, but I will post here going forward.

The can of worms, as mentioned in the title, is filtering DNS. I understand that this is a community that encourages openness in the arena of DNS services. I am not advocating that we forcefully filter results using the OpenNIC servers, but we offer an option to allow users to filter, if they choose to do so.

I have already begun coding such a system and I will post updates as it becomes more functional. Eventually a demo site will follow along with a DNS server that will handle the queries and forward the requests to OpenNIC.

I am interested in all thoughts on the subject, especially the "constructive criticism" kind.

User avatar
chip
T2 Operator
Posts: 41
Joined: Mon Jan 18, 2016 2:19 am
Location: Colorado, USA
Contact:

Re: The can of worms.. DNS FILTERING

Postby chip » Tue Jan 19, 2016 3:01 am

I'm curious about your filter. I'm assuming it's like a DNS proxy that the client runs or someone runs on behalf of the client? Does it filter requests and forward the requests that are accepted on to the DNS server then reply to the client? or is it similar to a fork of a full DNS server that has the functionality built in?

Also I assume it's aimed more towards the non-technical user? I don't necessarily mean technically uneducated, rather, someone who doesn't want to learn BIND configuration and host their own T2. More of a shut-up-and-take-my-money attitude.
achip on #opennic | chip.geek

p3rlphr33k
Posts: 5
Joined: Tue Jan 19, 2016 2:01 am

Re: The can of worms.. DNS FILTERING

Postby p3rlphr33k » Tue Jan 19, 2016 5:05 pm

My current implementation is in the form of a DNS proxy. The proxy server accepts the DNS request, forks the process and makes the request to the actualy DNS, while checking the database to see if it exists. If not, it is added and request returned. If so, the request is returned anyways.. This is where I will develop the next phase once I have more to work with.

All I have been doing is browsing the web, and loading the domains into a SQL database. I will extend this to the next level once I have a few hundred domains to play with.

I don't think it would be a good idea to mix this type of system with the physical DNS server do to resource constraints. I would like to build in a pass-through in the event the wait times exceeded .. say 3 seconds for example.

Nesa
Posts: 7
Joined: Thu Dec 22, 2016 12:11 am
Contact:

Re: The can of worms.. DNS FILTERING

Postby Nesa » Fri Dec 23, 2016 1:17 am

Can this be modified to help with DNS amplification attacks?

Have a table of recent ANY or TXT requests and drop the request if the hit count is high for example?

Ole Juul
Posts: 30
Joined: Mon Jan 18, 2016 2:52 am

Re: The can of worms.. DNS FILTERING

Postby Ole Juul » Sat Dec 24, 2016 3:00 am

What kinds of things would you filter?

I'm not personally into any kind of censorship except that which one does oneself. Perhaps this will be like that. In any case, I do support people's freedom to do as they wish in this regard.

verax
Site Admin
Posts: 30
Joined: Mon Jan 18, 2016 3:16 am

Re: The can of worms.. DNS FILTERING

Postby verax » Wed Dec 28, 2016 7:42 pm

Nesa wrote:Can this be modified to help with DNS amplification attacks?

Have a table of recent ANY or TXT requests and drop the request if the hit count is high for example?


I had a similar idea a while ago: feeding a query log to a program that will track repeated queries and if it finds a spambot, it will add a firewall rule to block them.

My only issue I see is that a SQL database might be a bit too slow for this sort of thing. It's probably the only option for the blocklist idea, but for spam detection it's the wrong tool.

Nesa
Posts: 7
Joined: Thu Dec 22, 2016 12:11 am
Contact:

Re: The can of worms.. DNS FILTERING

Postby Nesa » Wed Dec 28, 2016 10:38 pm

Would an in memory cache be a better idea? (I think this might be ram heavy)
All it would need to hold is the IP address and hit count I'm looking for anything that will allow me to take my server off the white list only option.

Bandwidth is very expensive in Australia I get charged $1 per GB over my quota and when my server is being used it can get very high quickly :)

verax
Site Admin
Posts: 30
Joined: Mon Jan 18, 2016 3:16 am

Re: The can of worms.. DNS FILTERING

Postby verax » Thu Dec 29, 2016 2:40 am

Nesa wrote:Would an in memory cache be a better idea? (I think this might be ram heavy)
All it would need to hold is the IP address and hit count I'm looking for anything that will allow me to take my server off the white list only option.


Since it's just holding an IP address and some hit information, I doubt it would use very much memory, even on very busy servers.


Return to “Misc. Projects”

Who is online

Users browsing this forum: No registered users and 3 guests