|
|
|
|
|
|
by xoa
4 days ago
|
|
|
>Adding to DNS block list immediately. Just making a note here for anyone else with the same thought: I went to ping the domains listed ITT, and nothing went through. I'm running OPNsense and amongst other things using some of the hagezi DNS block lists [0]. It looks like brdtnet.com, bright-sdk.com and various subdomains were already in there, which is a nice sanity check. That said, also worth noting that an Unbound or other resolver based DNS block list can prevent resolution but doesn't preventing connecting to the underlying IP, it's not the same thing as actually invoking your firewall itself. For that I think you need to stick the lists into something that will resolve them regularly and then actually Firewall that off. So for OPNsense you can setup an alias using the URL Table (plain text) or URL Table in JSON depending on format, or manage it externally directly if desired via external. Then the source will be updated and aliases will all be resolved on operator defined schedules, and can in turn be fed into regular firewall rules. Don't forget these can turn into massive lists, so make sure your internal resource limits (so for OPNsense that'd be Firewall Maximum Table Entries) are set sufficiently high and the hardware can handle it. Other systems may handle it differently, just it's important to double check what is actually happening including if something malicious tries to be sneakier. And ultimately for these sorts of untrustable embedded devices that lack owner control, it's probably a lot better and more sustainable, if more effort upfront, to isolate them into their own vlan/subnet and then whitelist instead of blacklist. So they can only access what you decide they need to and nothing else, vs access everything except what is disallowed. Still, blacklisting bad actors as a final layer for everything may still be useful. ---- 0: https://github.com/hagezi/dns-blocklists |
|
|
OPNSense is beautifully flexible for this.