relekang / coredns-blocklist Goto Github PK

This is a coredns plugin to return NXDOMAIN response for any domain on preloaded lists. It can be useful to block malware domains or trackers.

Go 95.20% Makefile 4.80%

dns coredns adblocking

coredns-blocklist's Introduction

coredns-blocklist

This is a coredns plugin to return NXDOMAIN response for any domain on preloaded lists. It can be useful to block malware domains or trackers.

Usage

It is possible to use this plugin with both files from disk and fetch files from http servers by passing an url. The file should contain one domain on each line. There is an example file in the example folder.

. {
  log
  prometheus

  # load from url
  blocklist https://mirror1.malwaredomains.com/files/justdomains
  # load from file, if the path is not absolute it will be relative to the Corefile
  blocklist blocklist.txt

  forward . 1.1.1.1 1.0.0.1
}

Installation

There is multiple ways to add plugins in coredns, but no matter the way you choose the order matters. The order sets the precedense of the plugins when resolving queries. This means the blocklist plugin should be before any plugins that would resolve the domains correctly. Furthermore, the log plugin should be before this plugin to get proper logging.

Using plugin.cfg file

Add the following to the plugin.cfg file in your clone of coredns and follow the instructions from coredns.

blocklist:github.com/relekang/coredns-blocklist

Using a go file to compile the bundle

See the example/main.go for how to create a file that you can compile to get coredns with this plugin. This file will work with the coredns version defined in go.mod.

The example is bundled up with releases of on the release page of this repository. There it can be downloaded prebuilt for a bunch of environments.

coredns-blocklist's People

Contributors

Stargazers

Watchers

Forkers

wedaly mutemule danielmmetz jsimomaa athoune uded bhaswanth88 fox-md

coredns-blocklist's Issues

use NULL blocking instead of NXDOMAIN

according to some sources, "experiments suggest that clients may try to resolve blocked domains more often compared to NULL blocking." Upon further inspection, it appears Null response is not specified in msg.go RcodeToString. May need to implement net.IPv4zero and net.IPv6zero

what is the optimal position for coredns-blocklist in default plugin.cfg

in the default coredns plugin.cfg, what is the optimal position for coredns-blocklist.

# Directives are registered in the order they should be executed.
#
# Ordering is VERY important. Every plugin will feel the effects of all other
# plugin below (after) them during a request, but they must not care what plugin
# above them are doing.

# How to rebuild with updated plugin configurations: Modify the list below and
# run `go generate && go build`

# The parser takes the input format of:
#
#     <plugin-name>:<package-name>
# Or
#     <plugin-name>:<fully-qualified-package-name>
#
# External plugin example:
#
# log:github.com/coredns/coredns/plugin/log
# Local plugin example:
# log:log

metadata:metadata
geoip:geoip
cancel:cancel
tls:tls
reload:reload
nsid:nsid
bufsize:bufsize
root:root
bind:bind
debug:debug
trace:trace
ready:ready
health:health
pprof:pprof
prometheus:metrics
errors:errors
log:log
dnstap:dnstap
local:local
dns64:dns64
acl:acl
any:any
chaos:chaos
loadbalance:loadbalance
tsig:tsig
cache:cache
rewrite:rewrite
header:header
dnssec:dnssec
autopath:autopath
minimal:minimal
template:template
transfer:transfer
hosts:hosts
route53:route53
azure:azure
clouddns:clouddns
k8s_external:k8s_external
kubernetes:kubernetes
file:file
auto:auto
secondary:secondary
etcd:etcd
loop:loop
forward:forward
grpc:grpc
erratic:erratic
whoami:whoami
on:github.com/coredns/caddy/onevent
sign:sign

Release with CoreDNS 1.9.3

Cool project! Your CoreDNS 1.8.1 is fairly outdated now; mind compiling with CoreDNS 1.9.3? https://github.com/coredns/coredns/releases

Feature request: whitelist

Can you add a whitelist capability that takes precedence over the blacklist? Something like

. {
  log
  prometheus

  whitelist mywhitelistfile.txt

  # load from url
  blocklist https://mirror1.malwaredomains.com/files/justdomains
  # load from file, if the path is not absolute it will be relative to the Corefile
  blocklist list.txt

  forward . 1.1.1.1 1.0.0.1
}

I guess there is some bug

It could not work as expected

[INFO] plugin/blocklist: Loading from https://raw.githubusercontent.com/relekang/coredns-blocklist/master/example/blocklist.txt
[INFO] plugin/blocklist: Loaded 2 domains from https://raw.githubusercontent.com/relekang/coredns-blocklist/master/example/blocklist.txt
[DEBUG] plugin/blocklist: Creating blocklist plugin with 2 blocks, 0 allows, and domain metrics set to false
[DEBUG] plugin/blocklist: Loaded 'diagnostics.meethue.com' into blocklist
[DEBUG] plugin/blocklist: Loaded 'ocsp.apple.com' into blocklist
.:53
CoreDNS-1.11.1
linux/amd64, go1.20.14,
[INFO] 127.0.0.1:40399 - 51990 "A IN ocsp.apple.com. udp 55 false 4096" NOERROR qr,rd,ra 233 0.310952354s

With query

bash-5.1# dig ocsp.apple.com @127.0.0.1

; <<>> DiG 9.16.33 <<>> ocsp.apple.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51990
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.apple.com.			IN	A

;; ANSWER SECTION:
ocsp.apple.com.		1697	IN	CNAME	ocsp-lb.apple.com.akadns.net.
ocsp-lb.apple.com.akadns.net. 60 IN	CNAME	ocsp-a.g.aaplimg.com.
ocsp-a.g.aaplimg.com.	15	IN	A	17.253.87.203
ocsp-a.g.aaplimg.com.	15	IN	A	17.253.87.202

;; Query time: 310 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 20 10:44:50 UTC 2024
;; MSG SIZE  rcvd: 233

My Corefile config

.:53 {
  log
  debug
  prometheus

  # load from url
  blocklist https://raw.githubusercontent.com/relekang/coredns-blocklist/master/example/blocklist.txt

  forward . 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4
}

Fails to load to big blocklist

plugin/blocklist: bufio.Scanner: token too long

Blocklist update handling

Quick question: if the blocklist file contents are updated on disk, will the changes be immediately reflected in CoreDNS or do I need to restart CoreDNS?