0xerr0r / blocky Goto Github PK

If upstream server is configured by hostname, optional DNS resolver should be used to resolve the IP of them.

Error received:

This app can't run on your PC
To find a version for your PC, check with the software publisher.

Latest 0.8 release AMD64 Windows build.

I've tried adding both www.googleadservices.com and googleadservices.com to my whitelist but it still blocks that domain. Nothing showing in the logs.

I just discovered that Netflix on my firetv gets blocked. It is working on my Panasonic smart TV.

Obviously this is not a real big but in a pihole setup that would work just fine.

I would advise to have a default config which does not block popular services.

I really like Blocky and the great configuration options. Because it is so slim and fast I changed my LAN setup from Adguard to Blocky. There is only one feature missing in Blocky for me: The possibility to have different upstream DNS servers for different clients. For my understanding it is currently not possible in Blocky to have something like:

externalResolvers:  
      default:     # Default for all requests
         - tcp: 46.182.19.48
         - tcp: 80.241.218.68
      desktop.fritz.box:   # Requests coming from desktop.fritz.box will be forwarded to
          - tcp-tls:fdns1.dismail.de:853
          - https://dns.digitale-gesellschaft.ch/dns-query

Or maybe I missed something in the configuration options?

It would be great to have some Prometheus metrics exposed....

add metrics for useful dashboard:

• query count per client and type
• error count
• request duration as histogram
• response count by reason, response code and response time
• count black/whitelist per group

If blocky runs in docker, following error occurs, if "empty" query (dig without parameter) is executed:
error on processing request: dns: unknown RR type: "<nil>" at line: 1:17

According to dig manual, empty query param is equivalent to "."

User should be able to temporarily deactivate blocking against the blacklist by:

• Using the CLI tool
• Calling REST API from external tool (OpenHAB, Home Assistant, ...)
• Using Grafana dashboard for blocky

Hello, thanks for this nice little piece of software.

I face a small issue. i can access /metrics and /debug/pprof/ endpoints. but i could not access /swagger endpoint.

I did disable_sanitize_html = true in grafana, but still text panel is not loading script. What should i set the blocky_url variable in panel ? my installation is at 192.168.1.2

thank you

When trying to setup grafana with Prometheus as a data source I get
HTTP Error Bad Gateway. Both are in different dockers if that matters.

Hello,

It looks like the current implementation does exact matching on the domain name. I'm wondering if you would be open to a change that adds suffix matching, such that a blacklist entry of foo.com would also block *.foo.com, *.*.foo.com, etc.

I would probably implement it using a trie data structure to minimize the memory cost and lookups would probably be O(n) where n is the length of the search string.

This behavior could be configurable so that the default behavior remains the same unless this feature is enabled.

List refresh sets lock on internal map structure, any incoming request must wait until list refresh is completed. This should be avoided by setting fine grained locking (only on map modification)

I have some internal services like foo.home.internal and bar.home.internal... it would be cool if I could define *.home.internal to 10.1.1.1

Is this already possible?

As a user of blocky,
I want to specify the path & name of the config file instead of expecting it to be hardcoded to /app/config.yml
So that I can use my own path design for config files

The reason behind this ask is that within kubernetes, leveraging a configMap to define the config file will result in the /app directory being clobbered when mounting the config.yml in that directory meaning that there won't be a blocky binary to run. If we can define the config file to be in a non-shared path, that would be great!

It would be cool if DoH would be a supported upstream...

Blocky should provide REST API to control components and query the status. A CLI tool should use this API too. First implementation should allow the user to enable and disable the blocking of blacklisted domains.

After 24 hours of turning it ON i do not see caching in response list of grafana dashboard, i checked my docker logs. and CachingResolver seems to be deactivated. I just use the default config.yml on the readme. any specific lines to be added in config ?

[2020-05-14 21:38:41] INFO server: -> resolver: 'CachingResolver' [2020-05-14 21:38:41] INFO server: deactivated [2020-05-14 21:38:41] INFO server: -> resolver: 'ParallelBestResolver' [2020-05-14 21:38:41] INFO server: upstream resolvers: [2020-05-14 21:38:41] INFO server: - upstream '208.67.222.222:853' [2020-05-14 21:38:41] INFO server: - upstream '1.1.1.2:853' [2020-05-14 21:38:41] INFO server: - upstream '1.1.1.1:853' [2020-05-14 21:38:41] INFO server: - upstream '1.0.0.1:853'

For testing purpose I made some request from blocky query cli tool at the same machine as the server's and I get this warning :

WARN client_names_resolver: can't create reverse address for <nil> client_ip=<nil> question=A

Maybe a smarter log message would be nicer ?

It would be cool if we could switch the log output mode in stdout to json... this would allow us to parse it easily.

build binary and docker images with go 1.14

Hey there. Blocky is really nice DNS for me but recently I found large DNS resolved request which was not requested by me in my server and it cause a lot of log in my disk. But I cant find any solution to listen only in local network such as 127.0.0.1 or 192.168.x.x and log deletion circulation.
So can Blocky do those thing? Thanks a lot

Would be nice to be able to update the binary from the cli, something like this for example;

blocky update

Bonus points if we could execute a command depending on if the update succeeded or not. For example I run Blocky from a systemd service file I made so I would wanna restart that if the update succeded. I guess you could configure that in the .yml file.

Assume you have this snippet beneath in your config with two identically DNS Server but different protocols.
If the DNS client is sending an AXFR query to transfer a zone, it uses the TCP Protocol and the UDP.

Because Blocky randomly selects two external upstream DNS server from the list (UDP+TCP), the fastest response wins, which is usually the UDP response.

However, UDP is always denied by Auth. DNS Server when trying to perform Zone Transfer over UDP and sends back a Servfail DNS Message.

Blocky must honor this and must forward TCP based DNS Queries (like AXFR/IXFR) to TCP Upstream DNS Server only.

Otherwise, any AXFR Queries over UDP will fail.

https://tools.ietf.org/html/rfc1035#section-4.2.1

UDP is not acceptable for zone transfers, ....

https://tools.ietf.org/html/rfc5936#section-2

An important aspect to keep in mind is that the definition of AXFR is
restricted to TCP [RFC0793] (see Section 4 for details). The design
of the AXFR process has certain inherent features that are not easily
ported to UDP [RFC0768].

Example

upstream:

    # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
    # format for resolver: net:host:[port][/path]. net could be tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
    externalResolvers:
      **- tcp:80.241.218.68**
      **- udp:80.241.218.68**
      

Please release a corresponding docker image

it would be great of blocky would validate dnssec signatures...

I'm trying to run this on windows docker but when I inser the path to the config file i get loads of errors any help or does this not work on windows?

Error handling on (periodic) list download should be improved:

• Rerty on temporary errors (Timeout, ...)
• Leave elements in cache for the group, if a temporary error occurs

This project looks like a perfect replacement for Stubby on my network. However, as I’d have dnsmasq forward requests to Blocky this would result in caching the response in two locations which is less than ideal.

Can a config option be added to disable caching within Blocky?

The current Blocky code is unable to complile on windows due to some *nix specific code like

and some more.
Having these parts rewritten to os agnostic code, Blocky would join the Windows family.

It would be cool if the config would be reloaded if the config file changes...

Does this project also implement a deep cname inspection like pihole 5?
https://pi-hole.net/2020/01/19/announcing-a-beta-test-of-pi-hole-5-0/

BTW. blocky seems to be a great project to run in a home k3s cluster. The single binary and configuration using a config file is really cool.

Healthcheck should periodically send a DNS request to check if blocky is still running

Because of problems with reverse DNS with ipv6, I have to make two entries for each client when specifying a blocking group (once with its hostname and once with it ipv6 address). In addition, the device is also displayed with these two names in the grafana client statistic.

So I would like to map client names to specific ip addresses:

clients:
laptop:
- 192.168.1.2
- ...
- fd00::532b:9bda:45b5:123

The name "laptop" defined in this way will replace the actual DNS name of the device and can be used in the blocking group specification and is used as client name in the static overview,

It would be useful to have a CLI command to perform a DNS query (Simple replacement for dig). The output should contain blocky specific information (for example: Query was blocked etc.)

Usage:
./blocky query google.com or ./blocky query google.com --type AAAA

Based on the description in README.md

upstream:
    # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
    # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
  

I tried the configuration as described above:

     externalResolvers:  
       - 46.182.19.48
       - 80.241.218.68

This leads to the following error when starting blocky:
level=fatal msg="wrong file structure: wrong configuration, couldn't parse input '46.182.19.48', please enter net:host[:port][/path]"

So "net:" is not optional anymore. Right?

Changing the config to

     externalResolvers:  
       - tcp:46.182.19.48
       - tcp.80.241.218.68

solved the problem.

Especially for new users it would be great to adapt the documentation.

Is there a way to set upstream DNS servers for a specific client or cidr address range? Use case is most clients I want going to Opendns, but some I want going to a geo location spoofing dns (mlb blackout workaround).

It would be cool if there would be an option to enable query log to stdout.

Hi, I made this into a helm chart which is also hosted on helm hub for consumption in kubernetes workloads.

If you're interested in hosting it here, I'm happy to PR the necessary changes to have the chart hosted with associated github actions for linting, testing, and publishing the chart.

Attempting to add multiple resolvers for conditional forwards gives an error. It would be good if Blocky supported to the ability to query multiple forwarders.

level=fatal msg="wrong file structure: yaml: unmarshal errors:\n line 31: key \"ipa.example.com\" already set in map\n line 33: key \"ad.example.com\" already set in map\n

conditional:
    mapping:
      ipa.example.com: udp:10.0.0.11
      ipa.example.com: udp:10.0.0.12
      ad.example.com: udp:10.0.1.11
      ad.example.com: udp:10.0.1.12

I use Loki and Promtail to gather logs in my Kubernetes cluster which gather logs from the containers stdout.

For me I don't need to logs being stored on disk unless there is a certain need Blocky uses it for.

I would advice to remove this from the sample config... According to the thread it is not available anymore:

https://www.reddit.com/r/pihole/comments/fvqaad/hostsfilenet_ad_serverstxt_download_not_availabe/

Maybe this list is a good alternative:

https://gitlab.com/ookangzheng/dbl-oisd-nl/raw/master/dbl.txt

hi.

yudeMacBook-Air:gopath brite$ go get -u -v github.com/0xERR0R/blocky
github.com/0xERR0R/blocky (download)
package blocky/config: unrecognized import path "blocky/config" (import path does not begin with hostname)
package blocky/server: unrecognized import path "blocky/server" (import path does not begin with hostname)
github.com/sirupsen/logrus (download)
get "golang.org/x/sys/unix": found meta tag get.metaImport{Prefix:"golang.org/x/sys", VCS:"git", RepoRoot:"https://go.googlesource.com/sys"} at //golang.org/x/sys/unix?go-get=1
get "golang.org/x/sys/unix": verifying non-authoritative meta tag
golang.org/x/sys (download)
github.com/x-cray/logrus-prefixed-formatter (download)
github.com/mgutz/ansi (download)
github.com/mattn/go-colorable (download)
github.com/mattn/go-isatty (download)
get "golang.org/x/crypto/ssh/terminal": found meta tag get.metaImport{Prefix:"golang.org/x/crypto", VCS:"git", RepoRoot:"https://go.googlesource.com/crypto"} at //golang.org/x/crypto/ssh/terminal?go-get=1
get "golang.org/x/crypto/ssh/terminal": verifying non-authoritative meta tag
golang.org/x/crypto (download)
yudeMacBook-Air:gopath brite$

how to fix the "unrecognized import path" error?

First of all, blocky works pretty well for my network. Thank you for making/releasing it! I have my blocky instance on my raspberrypi4 via docker and after a little configuration issues, had it up and running beautifully. For the last couple of days, since the latest update (I think), blocky cannot update any list. It throws this error for each list:

WARN list_cache: Temporary network error / Timeout occurred, retrying... Get "https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist": dial tcp: lookup zeustracker.abuse.ch on 127.0.0.11:53: read udp 127.0.0.1:57929->127.0.0.11:53: i/o timeout attempt=3 link=https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

I've checked that my rp4 has network and that DNS requests for the rp4 go directly to a DNS provider (OpenDNS). I can browse and update other things on the rp4 so I know it's not it's core connectivity. Restarting the rp4 and/or the container does not fix the issue.

Question: Is blocky supposed to be using 127.0.0.11? Right now, blocky is working with cached lists but some of the lists I use are updated daily.

Thank you for your time!

It would be nice to have a metric of the top queries per domain so you know if something weird is blocked or not blocked.

• top queries per domain
• label if blocked or not

I use a null server and would love the ability to forward to it's IP, but currently the only types supported are NxDomain and ZeroIP. This speeds up responses that have been blocked and bypasses some checks in applications checking if any content was returned.

I can take a stab at adding and submitting a PR, but thought I'd see what your thoughts are on adding that functionality.

It would be great to provide an aarch64 release. Could you please add it to the next one ?

upstream DNS resolver should be weighted: resolver with errors should be used less frequently than resolvers without errors

hello,

will list with ip's can be blocked?

https://feodotracker.abuse.ch/downloads/ipblocklist.txt

It would be cool if blocky would be able to serve as a DoH server using a k8s ingress.

This could be configured in firefox as a custom resolver:
https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/