0 voters
I use pihoel to check the DNS lookups, and sinkhole some lookups, but some apps / processes check hard coded IP addresses, and / or DNS’s.
I do check every now and then, but mostly don’t run a lot of untrusted software.
I’m a bit of a stub on networking and stuff, and most of my firewalling comes from built in OS ones, and my vpn reverse proxy has iptables to drop packets from the link that were not responding to requests from my side.
Could you elaborate on this, I’m not looking for an instant reply, I would love a few paragraphs about what this means, so in a few hours or days, an explanation of what you mean would be cool.
I run pfsense but in addition dnsbl and snort packages within. I have the pfsense syslog out going to a splunk container which results in seeing firewall logs, pfsense hosted VPN logs and snort IDS positives results, plus other random system stuff. Unfortunately the dnsbl logs do not go out via syslog, I think I’d have to run a forwarder on pfsense and point to the directory to get them. The webui in pfblockerng has a great display for the logs- but I’d like a single pain of glass.
I segregated the network via vlans and multible wifi SSIDs but avahi wasn’t perfect with mDNS and I had to undue a lot of it. Non the less work stuff is isolated from my LAN.
I need to restore DNS over TLS
All that said I still don’t know what’s going on lol. I need to make better splunk panels, a friend’s unifi’s gui is super intuitive at showing the happenings of his network.
(by the way, I also heard of Token’s suggested snort being useful for Intruder Detection Systems, but never used it. It has a good name recognition though, have a look at that if you want to know what’s happening.)
Sorry for my post above, I apologise if I just blurted a load of meaningless jargon. I’ll try and break it down…
I use linux at home, with a proxmox nas / router.
It has two ethernet links.
I “passthrough” one link to a virtual machine, and use it as a firewall / router.
The other link is for mu lan, and I have another VM running pihole, for DNS.
The firewall VM is only set up with some built in software called iptables. (iptables is old, but simple, when you get the hang of it.)
On the firewall VM, I have an app from my VPN provider, which provides and virtual internet connection (instead of eth0/1/2 it makes one called wg-mullvad)
The ethernet plugged in to the firewall means all traffic has to come through it.
with iptables rules, traffic from my local network can be Nat’ted/ forwarded out through the virtual interface.
traffic from the virtual interface that is a response to traffic sent out, is forwarded on to mu local network.
All other traffic from the virtual interface is dropped, as in, unless it was requested, it gets dropped/discarded.
I did used to use a pi as the firewall, pihole, and accesspoint, but wanted more+faster storage, and a little more oomph for more tasks.
a pretty good video I used from early was this one, from when I set the pi up
I used a guy’s video as a basis, but he’s taken it off YouTube. he did go to archive.org, but my VPN is blocked, so I can’t check if the archive is up:
Dr. Murphy's Lectures : Free Movies : Free Download, Borrow and Streaming : Internet Archive
there is a bunch of threads on how to set up routers on the forum, and they ware good at computers. I’m just sharing the little bits I seen.
These unfortunately do not help you with your monitoring… sorry.
That’s cool, I actually did the same thing. I (at one time, a week or two ago) ran TWO VMs, one for firewall (to block google’s DNS 8.8.8.8) and then into the next VM for Pi-Hole, then that goes to my router gateway.
I just added 8.8.8.8 as a rule in UFW (finally got it to open the GUI with pkexec as full root with an su command) and so I’ve eliminated the other VM.
I’m running Opnsense with Zenarmor package plugin… Its pretty informative. I used to run suricata but never could seem to have it run as well as i had it running on pfsense so was happy to change when the time came over to zenarmor which is a bit of a all in one solution.
I also run duplicate docker instances of Adguard as my local DNS, with upstream being my router running DNS over TLS
I VLAN my own devices off from the rest of my family’s with rules to deny inter-VLAN traffic.
Pfblocker is set to block ads and newly registered domains(<30d).
I only police myself, see no evil, hear no evil.
I really want to know but can you really know with DNS over HTTPS and Intel Management Engine and other stuff? I got the DNS filtering setup via ProtonVPN’s own NetShield. It’s probably good enough for my pedestrian use case…
I have IPsec and depending on source-device, some pretty locked down (= whitelist based) firewall rules.
I also should probably invest more time into The Dude
If you have smart tv’s you’ll want to filter those.
If you have a roku tv, netflix and apple tv programs auto-load at boot on some models, namely TCL. So if you don’t use those services every single dau, probably block them until wanted.
Is it possible to block an https based dns request? I’m using it now to filter android"s bullshit google api crapola.
Those get pissy easily when you block certain domain names. It’s just easier to put it on the IOT VLAN and isolate them from other humans.
Speaking of which, I need to figure out how to enable port isolation on my Aruba Instant On switch for those damned smart TVs.
Is it possible to MITM DNS-over-hytps connections to see where they go and block accordingly?
What you want to achieve is one of the reasons why doh exists to defend against something like this.
You can block known domains or ip addresses that provide doh service.
If you use pihole / pfng you can add the doh domains to the blacklist. You can block IP addresses centrally on the firewall.
You can’t block everything. Because the list is always changing and will never be 100%.
Speaking of known doh services, you can block them quite simply, but it’s hard to block some little-known doh about which almost no one knows and has not found its existence.
Ips / ids for a home user who, if not providing the service to the world, will be of little use. imho 
Snort and the rest of the solutions make sense in 2022 if we open encrypted traffic and then the analysis is performed. Analyzing encrypted traffic is very limited, not to say the least effective.
However, when we do not open our network to the world, there is no need to use ips / ids unless the user knows what he is doing. imho
I can recommend a relatively simple rule for the soho segment network. Block all inbound, only allow specific outbound traffic.
Much also depends on the resources that the user has at his disposal. VLAN, IDS / IPS are all nice toys but not everyone in soho will have such resources.
I understand that we are talking about a home network and not something corporate?
On the LAN-WAN, activate the firewall. And here you block all traffic coming to the LAN. At the same time, you allow a certain type of outgoing traffic and / or allow everything (I don’t).
On this firewall you can block outgoing traffic for ports 53 and 853. If you want to restrict external DNS access for devices in LAN.
Via DHCP you can broadcast your DNS, pihole / pfng… to devices on the LAN.
On every device on which it is technically possible, also run a local firewall and use a similar network traffic policy. Block all inbound and only allow specific outbound traffic.
As for blocking DOH… at the moment, there are still few devices that prefer such communication with dns, so you probably shouldn’t have a lot of such devices on the LAN. But if it is your will to block DOH… As mentioned before, you can block ip / domains to DOH resources. You can do it both locally per device and centrally lan-wan.
On the other hand, if some device does not need to have access to TCP 443, just block it all traffic.
In general, blocking DOH communication is not that simple without deep packet inspection. A simple method is to filter the known public DOH.