unbound
構築
[サイトブロッキングが話題なのでDNSブロッキングを実現するための方法を検証してみた]
(https://kurochan-note.hatenablog.jp/entry/2018/04/23/190508)を参考に構築
構築履歴
yum install unbound unbound-python
/etc/unbound/unbound.conf
server:
verbosity: 1
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
num-threads: 4
interface-automatic: no
so-reuseport: yes
ip-transparent: yes
chroot: ""
username: "unbound"
directory: "/etc/unbound"
log-time-ascii: yes
pidfile: "/var/run/unbound/unbound.pid"
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
unwanted-reply-threshold: 10000000
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
module-config: "ipsecmod validator iterator"
trust-anchor-signaling: yes
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
val-permissive-mode: no
val-log-level: 1
include: /etc/unbound/local.d/*.conf
ipsecmod-enabled: no
ipsecmod-hook: "/usr/libexec/ipsec/_unbound-hook"
python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
remote-control:
control-enable: yes
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
include: /etc/unbound/conf.d/*.conf
/etc/unbound/conf.d/dns-cache.conf
server:
verbosity: 1
interface: 0.0.0.0
access-control: 192.168.0.0/24 allow
access-control: 127.0.0.1/32 allow
use-syslog: yes
log-time-ascii: yes
log-queries: yes
module-config: "python validator iterator"
python:
python-script: "/etc/unbound/domain_filter.py"
https://gist.github.com/kurochan/27f26f4688e20e166597bad677c0af0b#file-domain_filter-py からソースを拝借する
wget -O /etc/unbound/domain_filter.py https://gist.githubusercontent.com/kurochan/27f26f4688e20e166597bad677c0af0b/raw/5f5652453cad231f85931c09d85ac4147e9b9f67/domain_filter.py
ログを見やすくするためにログ出力を少し削る
/etc/unbound/domain_filter.py
BLOCK_DOMAINS_FILE = "/etc/unbound/block_domains.txt"
block_domains = set()
def load_file(file_name):
try:
with open(file_name, "r") as f:
for line in f:
block_domains.add(line.rstrip())
except IOError:
log_info("pythonmod: failed to load %s" % file_name)
log_info("pythonmod: load block_domains from: %s" % file_name)
def filter_domain(qstate, id):
domain = qstate.qinfo.qname_str.rstrip('.')
if domain in block_domains:
log_info("pythonmod: block_domains from: %s" % domain)
qstate.return_rcode = RCODE_NXDOMAIN
qstate.ext_state[id] = MODULE_FINISHED
else:
#log_info("pythonmod: pass_domains from: %s" % domain)
qstate.ext_state[id] = MODULE_WAIT_MODULE
def init(id, cfg):
log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
load_file(BLOCK_DOMAINS_FILE)
return True
def deinit(id):
log_info("pythonmod: deinit called, module id is %d" % id)
return True
def inform_super(id, qstate, superqstate, qdata):
return True
def operate(id, event, qstate, qdata):
#log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
if event == MODULE_EVENT_NEW:
filter_domain(qstate, id)
return True
if event == MODULE_EVENT_MODDONE:
qstate.ext_state[id] = MODULE_FINISHED
return True
if event == MODULE_EVENT_PASS:
filter_domain(qstate, id)
return True
log_err("pythonmod: BAD event")
qstate.ext_state[id] = MODULE_ERROR
return True
内部DNS用に192.168.0.0/24からのアクセスは許可させておく
firewall-cmd --permanent --new-zone=unbound
firewall-cmd --reload
firewall-cmd --permanent --zone=unbound --add-service=dns
firewall-cmd --permanent --zone=unbound --add-source=192.168.0.0/24
firewall-cmd --reload
firewall-cmd --get-active-zones
firewall-cmd --list-all --zone=unbound
systemctl start unbound
systemctl enable unbound
リストの作成
https://filterlists.com/ からmalwareのblackリストを取得してくる。
1. https://filterlists.com/ にアクセス
2. 絞り込み
Software: Any
Languages: Japanese
Tags: malware
3. 「Pi-hole Parser - Japan」 > details > view
wget -O /etc/unbound/block_domains.txt https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/CountryCodesLists/Japan.txt