I’d like to create an appliance that runs a bind and works as a DNS Firewall, taking an RPZ policy from one of the various RPZ providers, such as the company I work for - ThreatSTOP. This would be similar to the AdGuard product but would protect against Malware and the like instead of/as well as Ads.
This is something that I know how to build in that I work for ThreatSTOP which offers this product on regular Ubuntu servers. We have a Raspbian image and a Ubuntu ISO / VM that do this, and have developed docker images though they haven’t been released, so it’s just a question of understanding how to build an Ubuntu Appliance instead of a .ova or Raspbian image
Audience
DNS Firewalls in this sort of appliance form are particularly useful for SOHO and SMB work environments where they can offer the same protection that large organizations offer inside their large corporate networks using the same technology. With the current work from home trend it is becoming more and more important to extend the capabilities to homes and small offices. However there are plenty of benefits for home users too, as a DNS FW can protect unwary internet users, such as children, from downloading software they shouldn’t or connecting to phishing sites and so on.
Software considerations
As noted above we know how to build this in other environments. It is effectively a collection of standard ubuntu packages plus a small amount of configuration. The most complicated part is probably giving the appliance a fixed IP address at boot. We have this covered for Raspbian based off of work I have published at my gitbub page (see profile) and I assume there are similar methods available for Ubuntu Appliances
Hardware considerations
There are no special hardware requirements (beyond a network connection). Lower spec Raspberry Pis cannot run bind with very large RPZ policies and larger networks will benefit from a Pi4 or NUC for performance but a SOHO network version (say 10-25 laptops/smarthphones etc.) works fine on a Pi2 or Pi3 as that is what I use personally.
Security considerations
There are no particular security requirements
Privacy
Since a DNS Firewall downloads a policy from the supplier and applies to locally to name resolution it is inherently a privacy improver. If (and this would be desired but optional) a user has a ThreatSTOP account and wishes to see reports on blocked traffic then the logs of the blocked traffic would be uploaded to ThreatSTOP for analysis. Such logs would be subject to the ThreatSTOP privacy policy terms
Maintenance considerations
The software uses completely standard ubuntu packages. The changes involve editing the configuration of those packages. Currently those changes are implemented using either shell scripts or scripts in other standard linux languages such as perl.