Option to block recently created domains (DGA)

Pi-hole is mainly for blocking ads. But it also can serve to stop malware.

A fairly simple and effective way would be to use Creation Date of a domain from a simple whois lookup. If the domain was registered less than a specified period of time ago, it would be pi-holed.
I think it happens rarely that you visit a newly created domain, but it should be opt in anyway.

whois pi-hole.net
   Domain Name: PI-HOLE.NET
..
   Creation Date: 2015-03-20T18:00:23Z
...

Related:


I think this is outside the scope of Pi-Hole; it is not intended to be a one-stop internet security program. It is a DNS resolver.

If you foresee potential interest in an enhancement that would do this, write a script that would find domains recently queried in the query log, perform the whois search you mention, and then add to blacklist as desired. Put the script on GitHub for others to use.

I agree that this request is an edge case for the scope of pi-hole.

You do not want to slow down resolving DNS requests by a whois lookup. This has to happen afterwards. But adding it to the blacklist permanently is not something I suggest to do.
As an example: Domains that are less than a week old should be pi-holed. After that period of time the domain should be accessible.

A script that will blacklist domains can not serve this purpose. Maybe that solution can be considered when we get an option to blacklist domains for a certain period of time and not permanently.

Theoretically the script can be made to remember and remove those domains from the blacklist after a period of time. This would make the script more complicated.

I already have seen scripts that blacklist domains and remove them after a period of time for the purpose of parental control.

Why not? The same script that can put a domain on a blacklist based on the age of the domain registration can easily remove it from the blacklist based on the same criteria. Run the script once a day and check everything in the blacklist, or have a separate table that the script creates and when the time is up on an item, remove it from the blacklist the next time the script runs.

It should be more responsive than once a day, more like right after a non cached request. And that criteria will apply to domains that were blocked manually.

The only way to do it with a script would be to save the blacklisted domains and the time they need to be unblocked again. Basically implementing blacklisting for a period of time that IMHO should also be a feature.

I am not saying solving it with a script is not possible. Just doing it within pi-hole will be more efficient.

Anyway this probably has to wait as other features are more pressing. I just wanted to throw in the idea.

I support your request slawa.
Funny DNS names are getting a serious problem, not just for malicious but also for add sites.
The last month I checked a few new ones, they were not blocked by using upstream OpenDNS or Quad9.
Upstream filtering is only done if half the world starts complaining :slight_smile: .
So yes, I believe it’s a great optional feature for PiHole.

Another example where this feature will help and is in scope of Pi-Hole.

There are some websites that use aggressive ads tactics.
They serve their ads from a new domain they create every few days.

I block the ad domain and few days later the ads pop up again.
I can effectively block it on Desktop with addons.
But some mobile phones can not use uBlock.

Here are the sites:
[WARNING!] Ads are NSFW

Ads are NSFW

And why would regex blocking not work in these cases?

It works for a few days. Ads come from new domains after a while. And the circle begins.

I have a dozen domains blocked that were used for ads. And new domains keep coming.
Usually they use a script that tries 3-4 domains to display ads.

Not sure this will help,

Found this site. If somebody is capable of generating lists from this site, you could add them to your blocklists, on a daily base.

There a so many new domains created. This would be overkill.
And then it should not block them permanently, just for specified amount of time.

Here are some specifics what I am thinking about:

  • There should be a cache of already checked domains. This can use the cache the pi-hole already has and add a flag [creation_date_checked:true/false]. This will save whois calls on frequently used domains.

  • Add a new table to the local database that handles a temporary block list. This can be a useful feature for the whole project. e.g. you can block Facebook for a week without the need to manually unblock.

  • Add a function that will run separately after domain resolution:

  1. Check if domain in cache and has true flag
  2. Check WHOIS Creation Date on cache miss
  3. If new domain, add to temporary block list with the desired duration (Creation Date + new domain block length from the settings)
  4. Domain will be automatically unblocked after temporary block expiry

In the Setting you should be able to specify for how long domains will be blocked after their registration.

This will help block DGA domains. Ad domains can circumvent it buy buying random old domains for cheap, instead of registering new ones.

This sounds more like a request for a new list than a feature for Pi-hole.

You could write a script that does this by itself. In the current development version of Pi-hole (and the next v5.0 release), we store the creation date of blacklist values.

You may also want to read this discussion:

Also in the current development version, we now support massive whitelists. The idea of above’s discussion is that they want to permit the, say, top 10 million domains with sufficient “reputation” (however you measure that) and block everything else.

It’s naive to think WHOIS will always output “Creation Date”. Try running WHOIS on yandex.ru for example and it says “created” instead of “Creation Date”. There is no standard WHOIS output format. I could not find any way to specify the creation date as an attribute but it might be possible.

The issue with newly-created domains is getting more attention: