【unbound構築】CentOS7+L2TP/IPSec+unbound+mitmproxyでiphoneのギガ不足を解消する

<<L2TP/IPsec構築 | mitmproxy構築>>

unbound

構築

サイトブロッキングが話題なのでDNSブロッキングを実現するための方法を検証してみたを参考に構築

構築履歴

yum install unbound unbound-python

/etc/unbound/unbound.conf

server:
    verbosity: 1
    statistics-interval: 0
    statistics-cumulative: no
    extended-statistics: yes
    num-threads: 4
    interface-automatic: no
    so-reuseport: yes
    ip-transparent: yes
    chroot: ""
    username: "unbound"
    directory: "/etc/unbound"
    log-time-ascii: yes
    pidfile: "/var/run/unbound/unbound.pid"
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    unwanted-reply-threshold: 10000000
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    minimal-responses: yes
    module-config: "ipsecmod validator iterator"
    trust-anchor-signaling: yes
    trusted-keys-file: /etc/unbound/keys.d/*.key
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    val-clean-additional: yes
    val-permissive-mode: no
    val-log-level: 1
    include: /etc/unbound/local.d/*.conf
    ipsecmod-enabled: no
    ipsecmod-hook: "/usr/libexec/ipsec/_unbound-hook"
python:
    # Script file to load
    # python-script: "/etc/unbound/ubmodule-tst.py"
remote-control:
    control-enable: yes
    server-key-file: "/etc/unbound/unbound_server.key"
    server-cert-file: "/etc/unbound/unbound_server.pem"
    control-key-file: "/etc/unbound/unbound_control.key"
    control-cert-file: "/etc/unbound/unbound_control.pem"
include: /etc/unbound/conf.d/*.conf

/etc/unbound/conf.d/dns-cache.conf

server:
    verbosity: 1
    interface: 0.0.0.0
    access-control: 192.168.0.0/24 allow
    access-control: 127.0.0.1/32 allow
    use-syslog: yes
    log-time-ascii: yes
    log-queries: yes
    module-config: "python validator iterator"
python:
    python-script: "/etc/unbound/domain_filter.py"

https://gist.github.com/kurochan/27f26f4688e20e166597bad677c0af0b#file-domain_filter-py からソースを拝借する

wget -O /etc/unbound/domain_filter.py https://gist.githubusercontent.com/kurochan/27f26f4688e20e166597bad677c0af0b/raw/5f5652453cad231f85931c09d85ac4147e9b9f67/domain_filter.py

ログを見やすくするためにログ出力を少し削る

/etc/unbound/domain_filter.py

BLOCK_DOMAINS_FILE = "/etc/unbound/block_domains.txt"
block_domains = set()

def load_file(file_name):
    try:
        with open(file_name, "r") as f:
            for line in f:
                block_domains.add(line.rstrip())
    except IOError:
        log_info("pythonmod: failed to load %s" % file_name)
    log_info("pythonmod: load block_domains from: %s" % file_name)

def filter_domain(qstate, id):
    domain = qstate.qinfo.qname_str.rstrip('.')
    if domain in block_domains:
        log_info("pythonmod: block_domains from: %s" % domain)
        qstate.return_rcode = RCODE_NXDOMAIN
        qstate.ext_state[id] = MODULE_FINISHED
    else:
        #log_info("pythonmod: pass_domains from: %s" % domain)
        qstate.ext_state[id] = MODULE_WAIT_MODULE

def init(id, cfg):
    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
    load_file(BLOCK_DOMAINS_FILE)
    return True

def deinit(id):
    log_info("pythonmod: deinit called, module id is %d" % id)
    return True

def inform_super(id, qstate, superqstate, qdata):
    return True

def operate(id, event, qstate, qdata):
    #log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))

    if event == MODULE_EVENT_NEW:
        filter_domain(qstate, id)
        return True

    if event == MODULE_EVENT_MODDONE:
        qstate.ext_state[id] = MODULE_FINISHED
        return True

    if event == MODULE_EVENT_PASS:
        filter_domain(qstate, id)
        return True

    log_err("pythonmod: BAD event")
    qstate.ext_state[id] = MODULE_ERROR
    return True

内部DNS用に192.168.0.0/24からのアクセスは許可させておく

firewall-cmd --permanent --new-zone=unbound
firewall-cmd --reload
firewall-cmd --permanent --zone=unbound --add-service=dns
firewall-cmd --permanent --zone=unbound --add-source=192.168.0.0/24
firewall-cmd --reload
firewall-cmd --get-active-zones
firewall-cmd --list-all --zone=unbound

systemctl start unbound
systemctl enable unbound

リストの作成

https://filterlists.com/ からmalwareのblackリストを取得してくる。

1. https://filterlists.com/ にアクセス
2. 絞り込み
    Software: Any
    Languages: Japanese
    Tags: malware
3. 「Pi-hole Parser - Japan」　> details > view

wget -O /etc/unbound/block_domains.txt https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/CountryCodesLists/Japan.txt