Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to mark blocklists as "Trusted/not trusted" #2382

Open
emlimap opened this issue Dec 1, 2020 · 5 comments
Open

Option to mark blocklists as "Trusted/not trusted" #2382

emlimap opened this issue Dec 1, 2020 · 5 comments
Labels
feature request P3: Medium
Milestone
v0.109.0

Comments

@emlimap
Copy link

emlimap commented Dec 1, 2020
edited
Loading

As requested, splitting feature request on its own #2102 (comment)

Problem

With the addition of DNS rewrite syntax in upcoming version, it allows syncing rewrites across multiple AGH instance with ease by hosting the list in a web server.

This also opens up the possibility of abuse by malicious actor from one of the lists used by users by redirecting domains to phishing servers using DNS rewrite rules.

Solution

During the process of adding a block list, a checkbox could be provided that lets user choose whether to import any DNS rewrites from the list or not. This way user could let AGH continue importing rewrites from the list they maintain or trust.

We could also leave the checkbox to import unticked by default for additional security. Also, a brief explanation underneath would help as well. Something along the lines of DNS Rewrite allows overriding DNS records with list specified entries. Only enable this for blocklists where you trust the maintainers.
@ameshkov
Copy link
Member

ameshkov commented Dec 2, 2020

Let's extend this feature request and introduce a "Trusted" flag to filter lists.

Here are the limitations that are applied to non-trusted lists:

  1. IP addresses in hosts-based blocklists are replaced with null IP (0.0.0.0 or ::)
  2. $dnsrewrite rules are discarded

What else could it be

@emlimap
Copy link
Author

emlimap commented Dec 3, 2020

If we are going to rewrite all IP addresses with null IP in hosts file, how does it work with some lists that have localhost entries like Dan Pollock's one for example. Will they get rewritten as well?

127.0.0.1	localhost
127.0.0.1	localhost.localdomain
255.255.255.255	broadcasthost
::1		localhost
127.0.0.1	local
::1		ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
ff02::3		ip6-allhosts

https://www.someonewhocares.org/hosts/

@ameshkov
Copy link
Member

ameshkov commented Dec 4, 2020

that have localhost entries

I guess localhost entries can be ignored.

@stale
Copy link

stale bot commented Feb 2, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Feb 2, 2021
@emlimap
Copy link
Author

emlimap commented Feb 8, 2021

Bumping this issue so stale bot won't close it for inactivity

@stale stale bot removed the wontfix label Feb 8, 2021
@ameshkov ameshkov changed the title [Feature Request] Option to enable/disable DNS rewrite imports from blocklists Option to mark blocklists as "Trusted/not trusted" Feb 8, 2021
@ameshkov ameshkov added this to the v0.109.0 milestone Feb 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request P3: Medium
Projects
None yet
Milestone
v0.109.0
Development

No branches or pull requests
2 participants
@ameshkov @emlimap