Hard coded dns / IPs

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
#1
Hi, just 20 mins ago, I found about this project and it looks super interesting! I think I am going to try it now on a 3b+ laying around. I had a question tho. How does this box handle hard coded queries ? Like IPs and dns ?

This is a problem I had trouble getting my head around when using similar installations / setups such as keexybox.

Is this allowing for having access to full monitoring report? (filtered maybe). I mean not only graphs but lists of outgoing queries made by my devices and their protocols ? (sorry if I am not that clear, I am not an expert). I am hoping that this project helps me reveal potential suspicious traffic made by devices.

I guess an example or two would be best. So let's say the Unifi dream machine, it has been suspected to "phone home" without user knowledge before and, so far, I haven't seen someone showing test results about that.

One more example, android devices using hard coded DNS to send data even if a user is trying to prevent this (which apparently bypasses user's attempts to block those). Again all speculations, at least to me. And I like to test stuff so, would this be a proper project / box for me to do that kind of investigation ?

I know some tools that might already do this but I am not that great when it comes to networking yet. Still learning some basics...

Anyways, I figured I'd ask and worst case, it'll be a suggestion for you guys / gals Smile

Edit:

Hmm funny that I had to make this post right before finally finding good info about this topic. Usually I wasn't able to get much out of my searches hehe. Here, this is what I mean. (idk how trustworthy this info is but it does describe well what I was trying to say)

https://labzilla.io/blog/force-dns-pihole
Reply
#1
Hi, just 20 mins ago, I found about this project and it looks super interesting! I think I am going to try it now on a 3b+ laying around. I had a question tho. How does this box handle hard coded queries ? Like IPs and dns ?

This is a problem I had trouble getting my head around when using similar installations / setups such as keexybox.

Is this allowing for having access to full monitoring report? (filtered maybe). I mean not only graphs but lists of outgoing queries made by my devices and their protocols ? (sorry if I am not that clear, I am not an expert). I am hoping that this project helps me reveal potential suspicious traffic made by devices.

I guess an example or two would be best. So let's say the Unifi dream machine, it has been suspected to "phone home" without user knowledge before and, so far, I haven't seen someone showing test results about that.

One more example, android devices using hard coded DNS to send data even if a user is trying to prevent this (which apparently bypasses user's attempts to block those). Again all speculations, at least to me. And I like to test stuff so, would this be a proper project / box for me to do that kind of investigation ?

I know some tools that might already do this but I am not that great when it comes to networking yet. Still learning some basics...

Anyways, I figured I'd ask and worst case, it'll be a suggestion for you guys / gals Smile

Edit:

Hmm funny that I had to make this post right before finally finding good info about this topic. Usually I wasn't able to get much out of my searches hehe. Here, this is what I mean. (idk how trustworthy this info is but it does describe well what I was trying to say)

https://labzilla.io/blog/force-dns-pihole
Reply
#2
If you use keexybox as DNS only exactly like pihole does, keexybox will not prevent on hard coded DNS.
But if you use it as Gateway, the anwser is "YES" !

Thanks to the role of default gateway, KeexyBox NAT any DNS queries. This means that even if 8.8.8.8 is configured as DNS on the client device, it is KeexyBox that will handle DNS query and thus allow the domain to be blocked. Below is an example of DIG query using 8.8.8.8 from a Windows workstation behind a Keexybox gateway.


Code:
C:\Users\user>dig -t a baddomain.com @8.8.8.8

; <<>> DiG 9.11.0 <<>> -t a baddomain.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57673
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b3d498e2a8be0e12bce7e0a45fd709d5abf3c4674147707b (good)
;; QUESTION SECTION:
;baddomain.com.                  IN      A

;; ANSWER SECTION:
baddomain.com.            0      IN      CNAME  keexybox.
keexybox.              604800  IN      A      192.168.1.253

;; AUTHORITY SECTION:
keexybox.              604800  IN      NS      ns.keexybox.

;; ADDITIONAL SECTION:
ns.keexybox.            604800  IN      A      192.168.1.253

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 14 10:44:37 Arabie 2020
;; MSG SIZE  rcvd: 139

If you want to prevent devices that do DNS over HTTPS (DoH), you can Blacklist the domain of the DoH server, or you can block the IP address of the server by creating a firewall rule in Keexybox.

https://wiki.keexybox.org/doku.php/profi...e_firewall
Reply
#2
If you use keexybox as DNS only exactly like pihole does, keexybox will not prevent on hard coded DNS.
But if you use it as Gateway, the anwser is "YES" !

Thanks to the role of default gateway, KeexyBox NAT any DNS queries. This means that even if 8.8.8.8 is configured as DNS on the client device, it is KeexyBox that will handle DNS query and thus allow the domain to be blocked. Below is an example of DIG query using 8.8.8.8 from a Windows workstation behind a Keexybox gateway.


Code:
C:\Users\user>dig -t a baddomain.com @8.8.8.8

; <<>> DiG 9.11.0 <<>> -t a baddomain.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57673
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b3d498e2a8be0e12bce7e0a45fd709d5abf3c4674147707b (good)
;; QUESTION SECTION:
;baddomain.com.                  IN      A

;; ANSWER SECTION:
baddomain.com.            0      IN      CNAME  keexybox.
keexybox.              604800  IN      A      192.168.1.253

;; AUTHORITY SECTION:
keexybox.              604800  IN      NS      ns.keexybox.

;; ADDITIONAL SECTION:
ns.keexybox.            604800  IN      A      192.168.1.253

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 14 10:44:37 Arabie 2020
;; MSG SIZE  rcvd: 139

If you want to prevent devices that do DNS over HTTPS (DoH), you can Blacklist the domain of the DoH server, or you can block the IP address of the server by creating a firewall rule in Keexybox.

https://wiki.keexybox.org/doku.php/profi...e_firewall
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)