Proposed New Appliance: DNS Firewall

I’d like to create an appliance that runs a bind and works as a DNS Firewall, taking an RPZ policy from one of the various RPZ providers, such as the company I work for - ThreatSTOP. This would be similar to the AdGuard product but would protect against Malware and the like instead of/as well as Ads.

This is something that I know how to build in that I work for ThreatSTOP which offers this product on regular Ubuntu servers. We have a Raspbian image and a Ubuntu ISO / VM that do this, and have developed docker images though they haven’t been released, so it’s just a question of understanding how to build an Ubuntu Appliance instead of a .ova or Raspbian image

Audience

DNS Firewalls in this sort of appliance form are particularly useful for SOHO and SMB work environments where they can offer the same protection that large organizations offer inside their large corporate networks using the same technology. With the current work from home trend it is becoming more and more important to extend the capabilities to homes and small offices. However there are plenty of benefits for home users too, as a DNS FW can protect unwary internet users, such as children, from downloading software they shouldn’t or connecting to phishing sites and so on.

Software considerations

As noted above we know how to build this in other environments. It is effectively a collection of standard ubuntu packages plus a small amount of configuration. The most complicated part is probably giving the appliance a fixed IP address at boot. We have this covered for Raspbian based off of work I have published at my gitbub page (see profile) and I assume there are similar methods available for Ubuntu Appliances

Hardware considerations

There are no special hardware requirements (beyond a network connection). Lower spec Raspberry Pis cannot run bind with very large RPZ policies and larger networks will benefit from a Pi4 or NUC for performance but a SOHO network version (say 10-25 laptops/smarthphones etc.) works fine on a Pi2 or Pi3 as that is what I use personally.

Security considerations

There are no particular security requirements

Privacy

Since a DNS Firewall downloads a policy from the supplier and applies to locally to name resolution it is inherently a privacy improver. If (and this would be desired but optional) a user has a ThreatSTOP account and wishes to see reports on blocked traffic then the logs of the blocked traffic would be uploaded to ThreatSTOP for analysis. Such logs would be subject to the ThreatSTOP privacy policy terms

Maintenance considerations

The software uses completely standard ubuntu packages. The changes involve editing the configuration of those packages. Currently those changes are implemented using either shell scripts or scripts in other standard linux languages such as perl.

3 Likes

Sounds great. The first part is to bundle the components into a snap. Once you’ve got a snap built, and published in the store, it’s possible to very easily create an appliance image for testing.

We have docs, tutorials and a forum focused on building snaps. I’d also be happy to help you get bootstrapped either here or via whatever chat / phone / video system you prefer.

Cool. Reading the docs etc. now. This seems not too different from other build environments.

I imagine I can get going and build an initial bind9 snap without too many problems. If that works we’ll go for the more complex one with a few config file edits

Sounds like a plan. Just shout if you get stuck. We’ve made hundreds of snaps over the years. I expect we can sort any issues out if we smash a few brain cells together.