New security features

NextDNS has the following security features, why the same can’t be develop for pihole?

  • DNS Rebinding Protection
  • IDN Homograph Attacks Protection
  • Typosquatting Protection
  • Domain Generation Algorithms (DGAs) Protection
  • Block Newly Registered Domains (NRDs)
  • Block Parked Domains
  • Top-Level Domains (TLDs) Blocking
  • Block Bypass Methods
  • Google Safe Browsing
  • YouTube Restricted Mode
  • Safe Search

We had that manual and the domain page in the beta could do that when allowing CNAME.
See: https://discourse.pi-hole.net/t/support-for-cname-next-to-host-record/25707/5

Block parked/Typosquad domains can be done by using cnames and the Beta is equiped for that.

TLD blocking is done by RegEx: \.tld$

This is more or less what I was going to suggest.

Points 2-7 can be done with blocklists / regex for the most part, no need for anything fancy… but some effort is required from the user to source/maintain their own lists for this.

DNS Rebind Protection can be enabled by adding the following option in a custom configuration file under /etc/dnsmasq.d/.

stop-dns-rebind

Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.

Be sure to check dnsmasq documentation for correct application of related options rebind-localhost-ok and rebind-domain-ok, especially when using local upstream DNS servers for Pi-hole (like unbound).

As you all said some features may be possible in v5 but it should be available from the interface, othewise it will not exist for most people.

On the contrary - not every user runs the web admin interface, but all users have access to the command line.

How do you envision Pi-hole doing this? If a ciient bypasses Pi-hole and Pi-hole does not receive DNS requests from that client, what can Pi-hole do to force that client to use Pi-hole?

This can only be done in a firewall and router. Just the names of possible to he used dns servers is not enough but you have also check on IP address.

DoH makes it even more difficult and you can see test resolves when it tries to use it as resolver. You need then a IPS to analyze traffic.

DoH is a PITA!!!

1 Like

LoL, most people use the web interface at least all the people I know, just go Reddit and ask. If you don’t make features available to the web UI most people won’t use them. And of course it they are available in the web UI is because they can be use via cli

Like any other DNS service? Blocking all domains related with web proxy could be a start, of course it won’t be infallible.
Or we can ask Nextdns what are they doing

That’s a good idea. https://www.reddit.com/r/nextdns/. Let us know what they tell you.

Please explain. How do other DNS services see DNS traffic they don’t see?

https://www.google.com/search?q=proxy+domain+list&ie=utf-8&oe=utf-8&client=firefox-b-m

It will only avoiid a small amount portion of the problem but better then nothing.
Sophosxg has a domain list of vpn and proxy sites

7 posts were split to a new topic: Posts removed from “be more like nextDNS” feature request

Play nicely everyone.

This has been a gentle nudge from a mod.

And that is a IPS that analyzes traffic.

Blocking VPN is a choice that the responsable person for the intetnet connection have to make for themselves.