Option to block recently created domains (DGA)

#1

Pi-hole is mainly for blocking ads. But it can also can serve to stop malware.

A fairly simple and effective way would be to use Creation Date of a domain from a simple whois lookup. If the domain was registered less than a specified period of time ago, it would be pi-holed.
I think it happens rarely that you visit a newly created domain, but it should be opt in anyway.

whois pi-hole.net
   Domain Name: PI-HOLE.NET
..
   Creation Date: 2015-03-20T18:00:23Z
...

Related:


#2

I think this is outside the scope of Pi-Hole; it is not intended to be a one-stop internet security program. It is a DNS resolver.

If you foresee potential interest in an enhancement that would do this, write a script that would find domains recently queried in the query log, perform the whois search you mention, and then add to blacklist as desired. Put the script on GitHub for others to use.

#3

I agree that this request is an edge case for the scope of pi-hole.

You do not want to slow down resolving DNS requests by a whois lookup. This has to happen afterwards. But adding it to the blacklist permanently is not something I suggest to do.
As an example: Domains that are less than a week old should be pi-holed. After that period of time the domain should be accessible.

A script that will blacklist domains can not serve this purpose. Maybe that solution can be considered when we get an option to blacklist domains for a certain period of time and not permanently.

Theoretically the script can be made to remember and remove those domains from the blacklist after a period of time. This would make the script more complicated.

I already have seen scripts that blacklist domains and remove them after a period of time for the purpose of parental control.

#4

Why not? The same script that can put a domain on a blacklist based on the age of the domain registration can easily remove it from the blacklist based on the same criteria. Run the script once a day and check everything in the blacklist, or have a separate table that the script creates and when the time is up on an item, remove it from the blacklist the next time the script runs.

#5

It should be more responsive than once a day, more like right after a non cached request. And that criteria will apply to domains that were blocked manually.

The only way to do it with a script would be to save the blacklisted domains and the time they need to be unblocked again. Basically implementing blacklisting for a period of time that IMHO should also be a feature.

I am not saying solving it with a script is not possible. Just doing it within pi-hole will be more efficient.

Anyway this probably has to wait as other features are more pressing. I just wanted to throw in the idea.

#7

I support your request slawa.
Funny DNS names are getting a serious problem, not just for malicious but also for add sites.
The last month I checked a few new ones, they were not blocked by using upstream OpenDNS or Quad9.
Upstream filtering is only done if half the world starts complaining :slight_smile: .
So yes, I believe it’s a great optional feature for PiHole.