Building a Secure DNS Sinkhole with CoreDNS and Smallstep Certificates#

A DNS sinkhole is a server that redirects requests for specific domain names to a controlled IP address, often used for blocking malicious websites or implementing content filtering. This guide demonstrates how to build a secure DNS sinkhole using CoreDNS, a flexible and extensible DNS server, and Smallstep certificates, enabling HTTPS for your custom block pages.

Understanding the Architecture#

1
graph TD
2
    A[Client DNS Request] --> B[CoreDNS Server]
3
    B --> C{Domain in Blocklist?}
4
    C -->|Yes| D[Local Web Server]
5
    C -->|No| E[Forward to Upstream DNS]
6
    D --> F[Custom HTTPS Block Page]
7
    E --> G[Normal DNS Resolution]
8

9
    H[Smallstep CA] --> I[Certificate Issuance]
10
    I --> D
11

12
    subgraph "DNS Sinkhole"
13
    B
14
    D
15
    end

Implementation Options#

There are several approaches to implementing web filtering with custom block pages:

DNS-based filtering (CoreDNS, Pi-hole)
Proxy-based filtering (E2Guardian, Squid with SquidGuard)
Gateway-level filtering (PfSense, OPNsense)
Hybrid solutions (DNS + Proxy)

This guide focuses primarily on the DNS-based approach using CoreDNS with Smallstep certificates, but we’ll also cover alternative approaches.

Implementation Steps with CoreDNS and Smallstep#

1. Installing CoreDNS#

First, install CoreDNS on your server. The installation process varies depending on your operating system. Here’s an example for Debian/Ubuntu:

1
sudo apt update
2
sudo apt install coredns

Alternatively, you can download the binary directly:

1
wget https://github.com/coredns/coredns/releases/download/v1.10.1/coredns_1.10.1_linux_amd64.tgz
2
tar -xzf coredns_1.10.1_linux_amd64.tgz
3
sudo mv coredns /usr/local/bin/

2. Configuring CoreDNS#

Create or modify the CoreDNS configuration file (/etc/coredns/Corefile) to block specific domains and serve a custom block page: