ragibkl
commented
11 months ago I haven't had time to look at this yet. I'll take a look thi weekend.
Closed Tomatoide closed 11 months ago
ragibkl
commented
11 months ago I haven't had time to look at this yet. I'll take a look thi weekend.
Tomatoide
commented
11 months ago Thats ok ragib I have another question So there is wildcard (asterisk) syntax, and there is only-domains no subdomains syntax which is even smaller in size / more efficient albeit not much smaller, for example: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch-onlydomains.txt
I don't know if either are supported, and the only-domains no subdomains syntax seems to need proper code behind it as you need to block from domains all the subdomains and all the subdomains from those subdomains etc.. like I have read this problem about pfblockerng for example that needs to be avoided:
- PfBlockerNG (Note that pfBlockerNG does support wildcard blocking, but it's implementation is wack; It won't block subdomains to already listed subdomains, eg g.doubleclick.net should block; adclick.g.doubleclick.net, adx.g.doubleclick.net, captive.googleads.g.doubleclick.net etc, but it does not.)
So if you can clarify if bancuh supports that it would be appreciated thanks
ragibkl
commented
11 months ago Hi @Tomatoide , I've figured this out. I think our Bancuh DNS is working correctly.
I ran a simple test on my laptop as follows:
data/configuration.yaml to use only https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt as blacklist sourcecopp.gg is included in blacklistInside the dns process, I can find the following:
# cat /etc/bind/blacklist.zone | grep copp.gg
*.copp.gg CNAME null.null-zone.null.This means that we loaded *.copp.gg in blacklist.
copp.ggThen I run 2 dns tests:
$ nslookup -port=1153 copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
Name: copp.gg
Address: 45.76.225.26
[ragib@ragib-fedora-t14s-g3-amd default]$ nslookup -port=1153 anything.copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
anything.copp.gg canonical name = null.null-zone.null.
Name: null.null-zone.null
Address: 0.0.0.0
Name: null.null-zone.null
Address: ::1
$ nslookup -port=1153 anything.g.copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
anything.g.copp.gg canonical name = null.null-zone.null.
Name: null.null-zone.null
Address: 0.0.0.0
Name: null.null-zone.null
Address: ::1As you can see, copp.gg is not blocked, but anything.copp.gg and anything.g.copp.gg are blocked. This is CORRECT DNS behaviour:
*.copp.gg will match anything that replace the * character. This includes subs of those subdomains.*.copp.gg will NOT match copp.ggIf you also want to block copp.gg, I think you just need to include both list. I'm testing them in my laptop like this and it works like below:
I ran another test on my laptop as follows:
data/configuration.yaml to use only 2 sources
copp.gg is included in blacklist# cat /etc/bind/blacklist.zone | grep copp.gg
copp.gg CNAME null.null-zone.null.
*.copp.gg CNAME null.null-zone.null.So both copp.gg and *.copp.gg are included in blacklist
copp.gg$ nslookup -port=1153 copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
copp.gg canonical name = null.null-zone.null.
Name: null.null-zone.null
Address: 0.0.0.0
Name: null.null-zone.null
Address: ::1
[ragib@ragib-fedora-t14s-g3-amd default]$ nslookup -port=1153 anything.copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
anything.copp.gg canonical name = null.null-zone.null.
Name: null.null-zone.null
Address: 0.0.0.0
Name: null.null-zone.null
Address: ::1
[ragib@ragib-fedora-t14s-g3-amd default]$ nslookup -port=1153 anything.g.copp.gg localhost
Server: localhost
Address: 127.0.0.1#1153
Non-authoritative answer:
anything.g.copp.gg canonical name = null.null-zone.null.
Name: null.null-zone.null
Address: 0.0.0.0
Name: null.null-zone.null
Address: ::1As you can see, all three copp.gg, anything.copp.gg and anything.g.copp.gg are blocked.
If you want to block the main domain and all subdomains, please include the domain both the *.domain.com and domain.com without the *.
In your Hagezi list example, just include both in the blacklist:
blacklist:
- format: domains
path: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt
- format: domains
path: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch-onlydomains.txtRegarding your concern:
PfBlockerNG (Note that pfBlockerNG does support wildcard blocking, but it's implementation is wack; It won't block subdomains to already listed subdomains, eg g.doubleclick.net should block; adclick.g.doubleclick.net, adx.g.doubleclick.net, captive.googleads.g.doubleclick.net etc, but it does not.)
I think we don't have this problem. You can put *.g.doubleclick.net in our blacklist, and it should block all of adclick.g.doubleclick.net, adx.g.doubleclick.net, captive.googleads.g.doubleclick.net. If you also want to block g.doubleclick.net, just include that in blacklist without the * as well.
ragibkl
commented
11 months ago I think we don't have this problem. You can put .g.doubleclick.net in our blacklist, and it should block all of adclick.g.doubleclick.net, adx.g.doubleclick.net, captive.googleads.g.doubleclick.net. If you also want to block g.doubleclick.net, just include that in blacklist without the as well.
I've tested this on my laptop. Just add *.g.doubleclick.net on mist_blacklist.txt and it will block the listed subs of that correctly. You can also add g.doubleclick.net if you want to block that as well.
Tomatoide
commented
11 months ago Fascinating! thank you @ragibkl I did the necessary changes and hopefully everything works as expected, thanks 👍
let's look at an example take this list: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt Most if not all entries are not blocked Can you take a look @ragibkl thank you