DNS firewall
A proxy to inspect and mingle locally generated DNS queries. Optional tray icon an Gtk interface.
Rationale
Inspecting and filtering DNS traffic generated by desktop applications can be tricky. Tools like tcpdump have no way to tell which running process generated a DNS query. Also, Netfilter cannot filter traffic by domain name and many domains resolve to IP addresses that change frequently.
A typical use case is to monitor browser, browsers plugins and extensions for suspicious home-calling or malicious/tracking javascript, or other application leaking data through DNS queries.
dns-firewall acts as a forwarding DNS resolver. It listens locally on port 53 and forwards only the allowed queries to external resolvers.
It detects the name of the process trying to resolve a domain name and applies filtering rules based on that.
Features
-
Block DNS queries by application and domain, or return configurable IP addresses
-
Tray icon with activity indicators
-
Log window to inspect recent activity
-
Optionally resolve names using the Tor network
Usage
Create ~/.config/dns-firewall/conf.yaml from conf.yaml.example
Binding to UDP port 53 is required. You can run the process as root or install and configure authbind:
sudo apt-get install authbind
sudo touch /etc/authbind/byport/53
authbind --depth 2 dns-firewall
# or
sudo dns-firewallAdd --tray to enable the tray icon and Gtk interface. Left-click on the tray icon to display the log window.
Update your /etc/resolv.conf with "nameserver 127.0.0.1"
Configuration example
# Cache DNS replies
enable_lru_cache: true
lru_cache_size: 100
# Listen on the following IP address and port
host: 127.0.0.1
port: 53
socket_timeout: 20
# DNS resolvers to forward queries to
resolvers: ['208.67.222.222:53', '208.67.220.220:53']
# Use Tor to perform DNS resolution
tor_socks_ipaddr: '127.0.0.1'
tor_socks_port: 9050
# Filtering rules
#
# Like in netfilter, the rules are processed in sequence until a match is found.
# The default values are:
#
# action: drop # Can be accept, nxdomain, return, drop
# dnscrypt: false # Use DNSCrypt
# processname: * # Match process name
# tcp: false # Use TCP instead of UDP
# tor: false # Resolve over Tor
# username: * # Match username
# warn: false # Log match
# zone: * # Match zone
filtering:
# drop all queries to drop.net
- zone: drop.net
action: drop
# resolve a domain using custom resolvers
- zone: custom_resolvers.net
action: accept
resolvers: ['208.67.222.222:53', '208.67.220.220:53']
# return nxdomain for nxdomain.net
- zone: nxdomain.net
action: nxdomain
# return nxdomain to netcat
- processname: nc
action: nxdomain
# return nxdomain to an user
- username: foo
action: nxdomain
# return 127.0.0.1 for return1.net
- zone: return1.net
action: return 127.0.0.1
# resolve in TCP
- zone: tcp.net
action: accept
tcp: true
# resolve using dnscrypt
- zone: dnscrypt.net
dnscrypt: true
action: accept
# resolve using dnscrypt over Tor
- zone: dnscrypt_tor.net
dnscrypt: true
tor: true
action: accept
# resolve using Tor
- zone: tor.net
tor: true
action: accept
# forward every other request to the DNS resolvers, but warn
- action: accept
warn: true
# forward every other request to the DNS resolvers
- action: acceptDevelopment status
In development. Testing and contributions are welcome!
