# Safe DNS Project



## Solaris17 (May 31, 2017)

Hey everyone! I am running a usability experiment to see how naive it might be to provide everyday users the ability to browse the internet in a safer manner.

To accomplish this I am running a public DNS server that is running Pi-Hole with extended definitions.

This experiment ties in directly with the guide im currently writing here:

https://www.techpowerup.com/forums/threads/guide-global-network-dns-blacklisting-pi-hole.233545/

To do this, I am hosting a small virtual server on Digital Ocean. I am using my own funds to give it a shot.

The Pi-Hole software is free and currently we are here with functionality.







I run some extra definition lists on the PI which caches and remembers its DNS requests, whenever the PI doesnt know something I take this a step further and the forward addresses point to OpenDNS family safe servers. Which according to openDNS block the following:



> *What does FamilyShield Block?*
> 
> The service blocks pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.



The goal of this is simple.


Can I or another organization or entity use free products to provide a safer internet to users without charging them a ludicrous amount of money?
How effective is it?
Can it be done at a low or no cost?
To answer these questions I would like to invite feedback on the project if you decide to join. I am looking for the following.


Response time ok
false positives
does this inhibit your browsing habits within reason?
Here are some examples of what this blocks.


Telemetry
malware domains
ad domains
pornographic and other none PG domains
DNS in itself isnt a perfect system, but I would REALLY like to understand how feasible a project like this could be. If you would like to join the DNS server IP in question is this.

*45.55.35.57*

(I currently only route IPV4)​I DO NOT keep any private or identifying information.


----------



## Kursah (May 31, 2017)

I'll have to check it out. Thanks for taking the effort to do this. DNS hosting can get complex and I'm curious to see how well your VM holds up. I think forwarding non-authoritative queries to OpenDNS is also a solid move...that's what I've been using as my home site's DNS for years now.

Solaris DNS Security Services. Kinda has a good ring to it.


----------



## Solaris17 (May 31, 2017)

Kursah said:


> I'll have to check it out. Thanks for taking the effort to do this. DNS hosting can get complex and I'm curious to see how well your VM holds up. I think forwarding non-authoritative queries to OpenDNS is also a solid move...that's what I've been using as my home site's DNS for years now.
> 
> Solaris DNS Security Services. Kinda has a good ring to it.



Thanks! Its's definitely going to be a technical challenge for certain. I stand to learn alot myself I think from this exercise.


----------



## Kursah (May 31, 2017)

I look forward to reading up on your results as well, hopefully this'll be a good lesson in experience and practice. And who knows, you could be the next authoritative DNS filtering service out there if you really get into it.


----------



## Halo3Addict (May 31, 2017)

Pi-Hole claims to block ads in phone apps as well 
Hmm.. but I do like porn
How can anyone make these kinds of decisions with confidence.

I took a look at your other thread, is it finished? It seems to end abruptly.


----------



## Solaris17 (May 31, 2017)

Solaris17 said:


> This experiment ties in directly with the guide im currently writing here:





Halo3Addict said:


> Pi-Hole claims to block ads in phone apps as well
> Hmm.. but I do like porn
> How can anyone make these kinds of decisions with confidence.
> 
> I took a look at your other thread, is it finished? It seems to end abruptly.



Not yet soon! Lots of data to cover.



> How can anyone make these kinds of decisions with confidence.



how do you mean?


----------



## DeathtoGnomes (May 31, 2017)

Will this be for a browser add-on or standalone?


----------



## Solaris17 (May 31, 2017)

DeathtoGnomes said:


> Will this be for a browser add-on or standalone?



This is just a DNS server. This is not like extensions and add-ons I will be going more into this in the guide im writing. They function in the same basic way, but add-ons can sometimes modify webpages so you cant "see" where an add would be. DNS servers cannot do this.


----------



## DeathtoGnomes (May 31, 2017)

Solaris17 said:


> This is just a DNS server. This is not like extensions and add-ons I will be going more into this in the guide im writing. They function in the same basic way, but add-ons can sometimes modify webpages so you cant "see" where an add would be. DNS servers cannot do this.



OK so how about using this project so we can add it here instead:


----------



## Solaris17 (May 31, 2017)

DeathtoGnomes said:


> OK so how about using this project so we can add it here instead:



I don't know what that is but this project doesn't include Proxies.


----------



## jboydgolfer (May 31, 2017)

Solaris17 said:


> 45.55.35.57



 So this would just be added to my DNS list in my Asus router firmware? Then id be using your server?


----------



## Kursah (May 31, 2017)

You could add it to your NIC in Windows, to your Router's DNS, to your DHCP server (server or router) to hand out to devices.

What I would recommend is using OpenDNS or GoogleDNS as a secondary DNS server just to make sure DNS is resolving should a failure or outage from adjustment occur. I imagine Sol will do his best to maintain maximum uptime though.

For those not entirely familiar with what DNS is, check out the video below. 










Simply put, DNS is the yellow pages of the Internet, it takes an IP address, puts an A-Record on it (www.google.com) and when you type that in your browser, you see Google.com, but you're taken to the IP address that is resolved from the DNS server you got the information from. There's A LOT more depth to it, but on the face if it, not all that complex with the simple execution of DNS.

So when you use a service like Solaris DNS or OpenDNS, you're getting DNS services just like your ISP provides, or Google, or even your router/server for your LAN. But the exception here, is filtered DNS services block entries and requests that are known to be bad, malicious or containing certain content that has been chosen to be filtered, instead, redirecting you to a page that explains the situation of that site not being permitted to be accessed. This can be huge for home and business security and is a great mitigation to localized security deployments and web filters. 

DNS won't block everything and isn't actively modifying itself, it is very much managed in record keeping, like a rolodex or directory. Every address has a record that tells a computer where that address is supposed to point. So if someone wants to make Warez.com to go a DNS Site Blocked page instead of its actual page, they simply update the record. If you're using their DNS server, you get the blocked page. If you use ISP DNS services, you can get to that page properly and potentially infect your PC or worse.

DNS management can be a lot of busy work depending on how it is managed, and it should be busy work if properly managed because there's too much happening and changing to have nothing to do IMHO. So Sol could be quite busy with this, I'll have to look further into his deployment methods and see how he is managing DNS records and updates. Regardless, we need more services like this out there and I appreciate a fellow TPU-er testing and offering such a service for all of us to test and use.

I'm sure Sol can do a better job of explaining this project a nutshell, I just felt inclined to donate my 2 cents to make sure folks have an opportunity to better understand what the point is here.


----------



## jboydgolfer (May 31, 2017)

Kursah said:


> What I would recommend is using OpenDNS or GoogleDNS as a secondary DNS



yeah i use that currently, but i was thinking that solaris was looking for "testers" & id gladly lend a hand to that end if it is what was being asked


----------



## Solaris17 (May 31, 2017)

jboydgolfer said:


> So this would just be added to my DNS list in my Asus router firmware? Then id be using your server?



Yup thats it! or you can do so in windows by going to your *network settings*. Remember this is an experiment! If you run into any odd issues let me know!



Kursah said:


> I imagine Sol will do his best to maintain maximum uptime though.



You bet but better safe than sorry of course!


----------



## Solaris17 (Jun 17, 2017)

So far going well. Performance is great and the box isnt loaded at all. She does in between 50-60k DNS requests a day with the people onboard. 

Notable mentions. A few servers are running it in a business setting. Its going well.

Other mentions. Shame on MS. some of the telemetry domains tie in with things like Windows updates. Dont want pop-up ads in apps? no problem. but you also cant have updates.


----------



## Solaris17 (Jun 24, 2017)

Fighting my first DDoS DNS amplification attack.

In the wee hours of the morning last night I was logging into my sister server that I also run the same project on. This server specifically is more than just a few numbers. This one has an actual domain name attached to it.

Upon logging in I discovered this.





Excited it was getting some use I glanced over at the users. Several domains and IPs were showing up. However something caught me off guard. The queries blocked had not changed much which is odd of DNS queries of this magnitude. The graph also took a different turn skyrocketing in what appeared to be minutes.

I decided to dig in to the query logs and found that these "users" were making thousands of queries a min to a domain called leth.cc. After a quick visit it appeared to be innocent enough, however it also didn't seem popular enough to warrant the connections.

I decided to take a further look and ran a search on the domain. someone else had also noted that they were getting thousands of DNS queries to the same domain. My first thought was that this might be some kind of gaming network. Possibly some kind of multiplayer card game or something. This still struck me as odd since they would certainly have there own infrastructure and would not rely on 3rd party DNS server like my own to support them. Looking into them further revealed they were nothing of the sort.

At this point I was looking at numbers around 1million. Then something occurred to me. This wasn't an oddity or a lucky send off for what could be a successful DNS service built from my desk. This was a reflection attack and I was sending thousands of unsolicited DNS queries to some random website.

Having already been in the middle of my company's maintenance window and working on company infrastructure on top of being exhausted I decided to do the only thing I had the energy left to do. I blocked the URL preventing the requests from reaching the host. While I was probably one one of hundreds or thousands of open DNS servers targeting this poor companies website I certainly wasn't going to let that statistic continue. My server wasn't breathing too heavy even with these numbers and legit queries weren't slowed, I black listed the site and started off to bed. My ending numbers looked like this.






In the morning the company is open for a few hours so I have a small window in which I don't need to worry about my infrastructure. I decided to take a look at DNS server to see what the damage was.

I don't have pictures but the attack had continued over night. from around 1:30AM EST to 8:30AM EST I had generated more than 5.3 million blocked queries 99% of them being this one domain.

By this time things had started to get bad. The system was still very much responsive but disk I/O was high causing all lookups to take an abnormally long time. almost a full second. This meant the browsing experience was slow since the cached lookups were having a hard time responding. The amount of queries coming in per second was causing expiration  times to not matter. They were being added faster than they were being purged.

At tis point in time I had a choice. My upstream provider had not caught this and as such was not being filtered. I had blocked forwards to that specific domain so I was no longer contributing to whatever attack they may be under. However my own services were starting to suffer because of the attack.

A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:


Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
Limit my EDNS packets to 512bytes (They normally carry LARGE data sets)
Limit my query times per requestor
Block ANY requests via DNS
IDS/IPS blacklist hosts
All of this would help mitigate the issue however some of it was too deep for me to jump into right away given this service is currently providing for a few key test clients.

To temporarily fix this I had to change its nature from a free/open DNS service to a private service.

To do this I had to deny all port 53 (DNS) access on my firewall and instead get the specific IPs (thankfully static) of my clients and whitelist those as being able TO access port 53.

This worked immediately and queries dropped. However I now need to go into how to properly secure the server from being abused since I already make sure the clients are safe.

The internet is a scary place when you look at the logs. MAybe it was providing a domain name to the server itself that made it so easily found by bots?

*THIS DID NOT AFFECT THE SERVER DISPLAYED ABOVE*​


----------



## DeathtoGnomes (Jun 25, 2017)

Solaris17 said:


> A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:
> 
> 
> Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
> ...



AFAIK, which really aint much here, if you can block duplicate, before the "ANY",  requests per [*insert* time frame] that may help reduce a few numbers without being too limiting. If you can trace the source of requests, I dont why you cant add specific IPs to your blacklisting, even if temporary.


----------



## Solaris17 (Jul 16, 2017)

Its been a few months and I got some of the data I need. For now I am going to shut this project down. Thanks to all who participated!


----------

