An Introduction DNS SinkHoles (Pi-Hole)
I wanted to showcase an awesome lightweight tool that can be used in businesses and in your personal home.
Pi-Hole is a DNS sinkhole. When set up correctly (and it is dirt easy) all your traffic in/out is filtered, and removes a large portion of garbage adds and various known content that can be harmful to your internal hosts.
I set up my Pi-Hole and had it working with default settings within minutes and had it running for 24 hours. The picture above shows the results of normal traffic across the network.
I was pleasantly surprised at how simple the set up was. Also the fact that the software comes pre packaged with a massive blocklist to begin filtering content immediately.
There are loads of features to enable in this solution and is relevant to not just to home filtering but also to the business environment.
Maybe you don't want your staff spending time accessing streaming videos for hours on end, easily add domains to the "blacklist" and the traffic will be stopped in it's tracks.
You can direct traffic to your sinkhole on each individual machine but an even better solution is to set up Pi-Hole as a solution where all your devices point to it as the default DNS resolver of choice. Using this scenario you can force all devices on the network to resolve with Pi-Hole first before going out to the internet.
I want to share a bit of how I am utilizing the tool in my home/lab environment.
In my lab I have a desktop server. On that server I run a virtualized 2020 ubuntu server set to bridged. I have Pi-Hole installed on the virtual Ubuntu server. With my bridged Ubuntu server I can now direct traffic to the IP where Pi-Hole is installed. If I wanted to set Pi-Hole as DNS resolver on each device I could do so at this point, however I don't want to do that much work. Also I want Pi-Hole to be the defacto DNS server on my network so that any guests that visit me and ask to use my network will have their traffic filtered and I would be mitigating(to a degree) the risk of someone bringing ransomware etc. into my home network.
So in order to do this I need to tell my router that before users exit my network and access the internet they need to resolve with my Pi-Hole first. This is simple enough and you can find very good instructions at pi-hole.net. Every router is different though so you would need to access your router and do some trouble shooting.
I noticed an impact immediately. Right away I could tell things were cleaner while accessing my browser. The part that amazed me the most was the sheer quantity of queries that were blocked that I was not aware of. Tons of analytics, trackers, ads, redirects etc. Things we just wouldn't think about, which is kind of the point of them existing.
Also an extremely useful aspect of Pi-Hole is that is leans itself well to network analytics. Which sites are blocked the most? which device on the network is sending the most blocked queries? Why is a certain device making queries in the middle of the night when everyone is asleep? So on and so on. The in depth ability to monitor and analyze logs allowed me to gain a better idea of what is happening in my network.
I learned some fascinating things right away.
example 1: My wife's fitbit makes internet queries every 20 min even throughout the night (it was blocked and her watch was no longer synced with her phone[she wasn't happy......I fixed it though!]).
example 2: My primary desktop (Ubuntu 2020) whenever I access Office 365 in browser suddenly literally hundreds of ubuntu-connectivity-checks begin occurring. (this one is weird. Ubuntu?)
example 3: Things like DisneyPlus and Amazon Prime video stop working, which makes sense because you are blocking ads. (It's an easy fix in Pi-Hole, find the blocked query and add it to the "whitelist")
Aside from the ability to block/allow content and the ease of analytics there are a couple hidden benefits of utilizing Pi-Hole.
1) Internet traffic can be faster, potentially.
- what! no way! Yes it is true! Pi-Hole uses a cache to keep traffic of regular visits. If users are accessing data regularly it will give the user the cached content instead of the user having to go and retrieve it from the website. Your users may not notice this, but you as the sysadmin can know that you have done your bit to make your network more efficient. FYI you can view analytics on this as well ;)
2)Mitigation of risks at Intrusion and Exploitation layers of Cyber Kill Chain:
Depending how you have been attacked or whether the security incident is purely accidental you will be mitigating some risks. If we are blocking users from accessing certain things or stripping away some of the opportunity for accidental click-jacking attempts we are doing our part to mitigate risk. Also useful for threat hunting; Who is doing what on my network? what activity is happening? what is the most blocked content/trackers/ads etc. (tracking and tagging)
Is the solution full-proof? No, a resourceful user could potentially circumvent your carefully crafted security solution. But it will do something and should greatly resolve potential issues for the average user on your network.
I can't speak highly enough about this tool. it works beautifully in my home/lab network and I think there is a business case for incorporating this(DNS sinkholes) into an SMB and maybe areas of Enterprise business.