Building a DNS Sinkhole: Complete Implementation Guide for Network Security

Table of Contents#

Overview#

A DNS sinkhole is a powerful network security mechanism that intercepts DNS queries for known malicious, unwanted, or tracking domains and returns false results, effectively blocking access to these domains at the DNS level. This guide covers multiple implementation approaches from simple to enterprise-grade solutions.

DNS Sinkhole Architecture#

1
graph TB
2
    subgraph "Client Devices"
3
        A[Desktop]
4
        B[Mobile]
5
        C[IoT Device]
6
    end
7

8
    subgraph "DNS Sinkhole"
9
        D[DNS Server]
10
        E[Blocklist Database]
11
        F[Whitelist]
12
        G[Query Logger]
13
    end
14

15
    subgraph "Upstream DNS"
16
        H[Primary DNS]
17
        I[Secondary DNS]
18
        J[DoH/DoT Server]
19
    end
20

21
    subgraph "Responses"
22
        K[Blocked Response<br/>0.0.0.0]
23
        L[Allowed Response<br/>Real IP]
24
    end
25

26
    A --> D
27
    B --> D
28
    C --> D
29

30
    D --> E
31
    D --> F
32
    D --> G
33

34
    E -->|Blocked| K
35
    F -->|Allowed| H
36
    H --> L
37
    I --> L
38
    J --> L
39

40
    style D fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
41
    style E fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
42
    style L fill:#51cf66,stroke:#2f9e44,stroke-width:2px

Basic DNS Sinkhole Implementation#

Using Dnsmasq#

1
#!/bin/bash
2
# setup-dnsmasq-sinkhole.sh - Basic DNS sinkhole with dnsmasq
3

4
# Install dnsmasq
5
install_dnsmasq() {
6
    if command -v apt-get &> /dev/null; then
7
        sudo apt-get update
8
        sudo apt-get install -y dnsmasq
9
    elif command -v yum &> /dev/null; then
10
        sudo yum install -y dnsmasq
11
    else
12
        echo "Unsupported package manager"
13
        exit 1
14
    fi
15
}
16

17
# Configure dnsmasq
18
configure_dnsmasq() {
19
    # Backup original config
20
    sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
21

22
    # Create sinkhole configuration
23
    cat << 'EOF' | sudo tee /etc/dnsmasq.conf
24
# DNS Sinkhole Configuration
25

26
# Listen on all interfaces
27
interface=eth0
28
bind-interfaces
29

30
# Never forward plain names (without a dot or domain part)
31
domain-needed
32

33
# Never forward addresses in the non-routed address spaces
34
bogus-priv
35

36
# Don't read /etc/resolv.conf
37
no-resolv
38

39
# Upstream DNS servers
40
server=8.8.8.8
41
server=8.8.4.4
42
server=1.1.1.1
43

44
# Cache size
45
cache-size=10000
46

47
# Log queries (optional)
48
log-queries
49
log-facility=/var/log/dnsmasq.log
50

51
# Include blocklist configuration
52
conf-dir=/etc/dnsmasq.d/,*.conf
53
EOF
54

55
    # Create blocklist directory
56
    sudo mkdir -p /etc/dnsmasq.d/
57
}
58

59
# Download and setup blocklists
60
setup_blocklists() {
61
    local blocklist_dir="/etc/dnsmasq.d"
62

63
    # Create update script
64
    cat << 'EOF' | sudo tee /usr/local/bin/update-blocklists.sh
65
#!/bin/bash
66

67
BLOCKLIST_DIR="/etc/dnsmasq.d"
68
TEMP_DIR="/tmp/blocklists"
69

70
# Create temp directory
71
mkdir -p "$TEMP_DIR"
72

73
# Blocklist sources
74
declare -A BLOCKLISTS=(
75
    ["abuse"]="https://urlhaus.abuse.ch/downloads/hostfile/"
76
    ["someonewhocares"]="https://someonewhocares.org/hosts/zero/hosts"
77
    ["stevenblack"]="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
78
    ["adguard"]="https://raw.githubusercontent.com/AdguardTeam/AdguardSDNSFilter/master/Filters/filter.txt"
79
)
80

81
# Download and process blocklists
82
for name in "${!BLOCKLISTS[@]}"; do
83
    url="${BLOCKLISTS[$name]}"
84
    echo "Downloading $name blocklist..."
85

86
    wget -q -O "$TEMP_DIR/${name}.txt" "$url" || continue
87

88
    # Convert to dnsmasq format
89
    grep -E "^(0\.0\.0\.0|127\.0\.0\.1)" "$TEMP_DIR/${name}.txt" | \
90
        awk '{print "address=/" $2 "/0.0.0.0"}' | \
91
        grep -v "localhost" | \
92
        sort -u > "$BLOCKLIST_DIR/${name}.conf"
93
done
94

95
# Combine unique entries
96
cat "$BLOCKLIST_DIR"/*.conf | sort -u > "$BLOCKLIST_DIR/combined.conf.tmp"
97
mv "$BLOCKLIST_DIR/combined.conf.tmp" "$BLOCKLIST_DIR/combined.conf"
98

99
# Remove individual files if using combined
100
rm -f "$BLOCKLIST_DIR"/{abuse,someonewhocares,stevenblack,adguard}.conf
101

102
# Add custom blocks
103
cat >> "$BLOCKLIST_DIR/combined.conf" << 'CUSTOM'
104
# Custom blocked domains
105
address=/doubleclick.net/0.0.0.0
106
address=/googleadservices.com/0.0.0.0
107
address=/googlesyndication.com/0.0.0.0
108
address=/google-analytics.com/0.0.0.0
109
address=/facebook.com/pixel/0.0.0.0
110
CUSTOM
111

112
# Restart dnsmasq
113
systemctl restart dnsmasq
114

115
# Clean up
116
rm -rf "$TEMP_DIR"
117

118
echo "Blocklists updated: $(grep -c "address=" $BLOCKLIST_DIR/combined.conf) domains blocked"
119
EOF
120

121
    sudo chmod +x /usr/local/bin/update-blocklists.sh
122

123
    # Run initial update
124
    sudo /usr/local/bin/update-blocklists.sh
125

126
    # Setup cron job for daily updates
127
    echo "0 3 * * * root /usr/local/bin/update-blocklists.sh" | sudo tee /etc/cron.d/update-blocklists
128
}
129

130
# Setup whitelist
131
setup_whitelist() {
132
    cat << 'EOF' | sudo tee /etc/dnsmasq.d/whitelist.conf
133
# Whitelist - These domains will never be blocked
134
server=/github.com/#
135
server=/stackoverflow.com/#
136
server=/google.com/#
137
server=/cloudflare.com/#
138
EOF
139
}
140

141
# Enable and start service
142
enable_service() {
143
    sudo systemctl enable dnsmasq
144
    sudo systemctl restart dnsmasq
145

146
    # Test configuration
147
    sudo dnsmasq --test
148
}
149

150
# Main setup
151
main() {
152
    echo "Setting up DNS sinkhole with dnsmasq..."
153
    install_dnsmasq
154
    configure_dnsmasq
155
    setup_blocklists
156
    setup_whitelist
157
    enable_service
158
    echo "DNS sinkhole setup complete!"
159
}
160

161
main

Advanced Pi-hole Implementation#

Automated Pi-hole Setup#

1
#!/bin/bash
2
# setup-pihole-advanced.sh - Advanced Pi-hole configuration
3

4
# Install Pi-hole with custom settings
5
install_pihole() {
6
    # Create configuration
7
    cat << 'EOF' > /tmp/pihole-setupVars.conf
8
WEBPASSWORD=changeme
9
PIHOLE_INTERFACE=eth0
10
IPV4_ADDRESS=192.168.1.100/24
11
IPV6_ADDRESS=
12
QUERY_LOGGING=true
13
INSTALL_WEB_SERVER=true
14
INSTALL_WEB_INTERFACE=true
15
LIGHTTPD_ENABLED=true
16
BLOCKING_ENABLED=true
17
PIHOLE_DNS_1=1.1.1.1
18
PIHOLE_DNS_2=1.0.0.1
19
DNS_FQDN_REQUIRED=true
20
DNS_BOGUS_PRIV=true
21
DNSSEC=true
22
TEMPERATUREUNIT=C
23
WEBUIBOXEDLAYOUT=traditional
24
API_EXCLUDE_DOMAINS=
25
API_EXCLUDE_CLIENTS=
26
API_QUERY_LOG_SHOW=all
27
API_PRIVACY_MODE=0
28
EOF
29

30
    # Run Pi-hole installer
31
    curl -sSL https://install.pi-hole.net | sudo bash /dev/stdin --unattended
32
}
33

34
# Configure advanced blocklists
35
configure_blocklists() {
36
    # Add multiple blocklist sources
37
    cat << 'EOF' | sudo tee /etc/pihole/adlists.list
38
# Malware lists
39
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
40
https://someonewhocares.org/hosts/zero/hosts
41
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
42
https://urlhaus.abuse.ch/downloads/hostfile/
43

44
# Advertising lists
45
https://raw.githubusercontent.com/AdguardTeam/AdguardSDNSFilter/master/Filters/filter.txt
46
https://v.firebog.net/hosts/Easylist.txt
47
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
48

49
# Tracking & Telemetry
50
https://v.firebog.net/hosts/Easyprivacy.txt
51
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
52
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
53

54
# Malicious lists
55
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
56
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
57
https://phishing.army/download/phishing_army_blocklist_extended.txt
58

59
# Suspicious lists
60
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
61
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
62
EOF
63

64
    # Update gravity
65
    pihole -g
66
}
67

68
# Setup regex filters
69
setup_regex_filters() {
70
    # Add regex patterns for advanced blocking
71
    cat << 'EOF' | sudo tee /etc/pihole/regex.list
72
# Block all subdomains of tracking domains
73
^(.+\.)?google-analytics\.com$
74
^(.+\.)?googletagmanager\.com$
75
^(.+\.)?doubleclick\.net$
76
^(.+\.)?facebook\.com/tr
77
^(.+\.)?amazon-adsystem\.com$
78

79
# Block cryptocurrency miners
80
^(.+\.)?coinhive\.com$
81
^(.+\.)?coin-hive\.com$
82
^(.+\.)?crypto-loot\.com$
83

84
# Block specific tracking patterns
85
^(.+\.)?metric\.
86
^(.+\.)?telemetry\.
87
^(.+\.)?analytics\.
88
^(.+\.)?tracker\.
89
^(.+\.)?tracking\.
90
EOF
91

92
    # Import regex to database
93
    sudo pihole --regex-add "^(.+\.)?google-analytics\.com$"
94
}
95

96
# Configure DNS settings
97
configure_dns_settings() {
98
    # Setup DNS-over-HTTPS using cloudflared
99
    wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
100
    sudo apt install ./cloudflared-linux-amd64.deb
101

102
    # Configure cloudflared
103
    sudo useradd -s /usr/sbin/nologin -r -M cloudflared
104

105
    cat << 'EOF' | sudo tee /etc/default/cloudflared
106
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
107
EOF
108

109
    # Create systemd service
110
    cat << 'EOF' | sudo tee /etc/systemd/system/cloudflared.service
111
[Unit]
112
Description=cloudflared DNS over HTTPS proxy
113
After=syslog.target network-online.target
114

115
[Service]
116
Type=simple
117
User=cloudflared
118
EnvironmentFile=/etc/default/cloudflared
119
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
120
Restart=on-failure
121
RestartSec=10
122
KillMode=process
123

124
[Install]
125
WantedBy=multi-user.target
126
EOF
127

128
    sudo systemctl enable cloudflared
129
    sudo systemctl start cloudflared
130

131
    # Configure Pi-hole to use cloudflared
132
    echo "server=127.0.0.1#5053" | sudo tee /etc/dnsmasq.d/01-pihole.conf
133
    sudo systemctl restart pihole-FTL
134
}
135

136
# Setup monitoring and logging
137
setup_monitoring() {
138
    # Create monitoring script
139
    cat << 'EOF' | sudo tee /usr/local/bin/pihole-monitor.sh
140
#!/bin/bash
141

142
# Monitor Pi-hole statistics
143
LOG_DIR="/var/log/pihole-monitor"
144
mkdir -p "$LOG_DIR"
145

146
# Function to get Pi-hole stats
147
get_stats() {
148
    local stats=$(pihole -c -j)
149
    echo "$stats" | jq -r '{
150
        domains_blocked: .domains_being_blocked,
151
        dns_queries_today: .dns_queries_today,
152
        ads_blocked_today: .ads_blocked_today,
153
        ads_percentage_today: .ads_percentage_today,
154
        unique_clients: .unique_clients,
155
        status: .status
156
    }'
157
}
158

159
# Log stats every 5 minutes
160
while true; do
161
    timestamp=$(date '+%Y-%m-%d %H:%M:%S')
162
    stats=$(get_stats)
163
    echo "[$timestamp] $stats" >> "$LOG_DIR/stats.log"
164

165
    # Alert if blocking percentage drops
166
    blocking_percentage=$(echo "$stats" | jq -r '.ads_percentage_today' | cut -d. -f1)
167
    if [[ $blocking_percentage -lt 10 ]]; then
168
        echo "[$timestamp] WARNING: Low blocking percentage: ${blocking_percentage}%" >> "$LOG_DIR/alerts.log"
169
    fi
170

171
    sleep 300
172
done
173
EOF
174

175
    sudo chmod +x /usr/local/bin/pihole-monitor.sh
176

177
    # Create systemd service
178
    cat << 'EOF' | sudo tee /etc/systemd/system/pihole-monitor.service
179
[Unit]
180
Description=Pi-hole Monitoring Service
181
After=pihole-FTL.service
182

183
[Service]
184
Type=simple
185
ExecStart=/usr/local/bin/pihole-monitor.sh
186
Restart=always
187
RestartSec=10
188

189
[Install]
190
WantedBy=multi-user.target
191
EOF
192

193
    sudo systemctl enable pihole-monitor
194
    sudo systemctl start pihole-monitor
195
}

Bind9 DNS Sinkhole#

Enterprise Bind9 Setup#

1
#!/bin/bash
2
# setup-bind9-sinkhole.sh - Enterprise-grade DNS sinkhole with Bind9
3

4
# Install BIND9
5
install_bind9() {
6
    sudo apt-get update
7
    sudo apt-get install -y bind9 bind9utils bind9-doc dnsutils
8
}
9

10
# Configure BIND9 as sinkhole
11
configure_bind9() {
12
    # Backup original config
13
    sudo cp -r /etc/bind /etc/bind.backup
14

15
    # Main configuration
16
    cat << 'EOF' | sudo tee /etc/bind/named.conf.options
17
options {
18
    directory "/var/cache/bind";
19

20
    // Forwarders for non-blocked queries
21
    forwarders {
22
        1.1.1.1;
23
        1.0.0.1;
24
        8.8.8.8;
25
        8.8.4.4;
26
    };
27

28
    // Security settings
29
    dnssec-validation auto;
30
    auth-nxdomain no;
31
    listen-on-v6 { any; };
32

33
    // Access control
34
    allow-query {
35
        localhost;
36
        192.168.0.0/16;
37
        172.16.0.0/12;
38
        10.0.0.0/8;
39
    };
40

41
    // Recursion for internal clients only
42
    recursion yes;
43
    allow-recursion {
44
        localhost;
45
        192.168.0.0/16;
46
        172.16.0.0/12;
47
        10.0.0.0/8;
48
    };
49

50
    // Rate limiting
51
    rate-limit {
52
        responses-per-second 10;
53
        window 5;
54
    };
55

56
    // Query logging
57
    querylog yes;
58
};
59

60
// Logging configuration
61
logging {
62
    channel default_log {
63
        file "/var/log/bind/default.log" versions 3 size 5m;
64
        severity dynamic;
65
        print-time yes;
66
    };
67

68
    channel query_log {
69
        file "/var/log/bind/query.log" versions 3 size 10m;
70
        severity info;
71
        print-time yes;
72
    };
73

74
    channel security_log {
75
        file "/var/log/bind/security.log" versions 3 size 5m;
76
        severity warning;
77
        print-time yes;
78
    };
79

80
    category default { default_log; };
81
    category queries { query_log; };
82
    category security { security_log; };
83
};
84
EOF
85

86
    # Create log directory
87
    sudo mkdir -p /var/log/bind
88
    sudo chown bind:bind /var/log/bind
89
}
90

91
# Setup Response Policy Zones (RPZ)
92
setup_rpz() {
93
    # RPZ configuration
94
    cat << 'EOF' | sudo tee -a /etc/bind/named.conf.options
95

96
// Response Policy Zone configuration
97
response-policy {
98
    zone "malware.rpz" policy given;
99
    zone "ads.rpz" policy given;
100
    zone "tracking.rpz" policy given;
101
    zone "custom.rpz" policy given;
102
};
103
EOF
104

105
    # Include RPZ zones
106
    cat << 'EOF' | sudo tee /etc/bind/named.conf.local
107
// RPZ zones for DNS sinkhole
108

109
zone "malware.rpz" {
110
    type master;
111
    file "/etc/bind/zones/db.malware.rpz";
112
    allow-query { none; };
113
};
114

115
zone "ads.rpz" {
116
    type master;
117
    file "/etc/bind/zones/db.ads.rpz";
118
    allow-query { none; };
119
};
120

121
zone "tracking.rpz" {
122
    type master;
123
    file "/etc/bind/zones/db.tracking.rpz";
124
    allow-query { none; };
125
};
126

127
zone "custom.rpz" {
128
    type master;
129
    file "/etc/bind/zones/db.custom.rpz";
130
    allow-query { none; };
131
};
132

133
// Sinkhole zone
134
zone "sinkhole" {
135
    type master;
136
    file "/etc/bind/zones/db.sinkhole";
137
};
138
EOF
139

140
    # Create zone directory
141
    sudo mkdir -p /etc/bind/zones
142

143
    # Create sinkhole zone file
144
    cat << 'EOF' | sudo tee /etc/bind/zones/db.sinkhole
145
$TTL 86400
146
@       IN      SOA     localhost. root.localhost. (
147
                        2021010101      ; Serial
148
                        3600            ; Refresh
149
                        1800            ; Retry
150
                        604800          ; Expire
151
                        86400 )         ; Minimum TTL
152

153
        IN      NS      localhost.
154
        IN      A       0.0.0.0
155
        IN      AAAA    ::
156
*       IN      A       0.0.0.0
157
*       IN      AAAA    ::
158
EOF
159

160
    # Create RPZ zone template
161
    create_rpz_zone() {
162
        local zone_name=$1
163
        cat << EOF | sudo tee "/etc/bind/zones/db.${zone_name}.rpz"
164
\$TTL 300
165
@       IN      SOA     localhost. root.localhost. (
166
                        $(date +%Y%m%d)01      ; Serial
167
                        3600                    ; Refresh
168
                        1800                    ; Retry
169
                        604800                  ; Expire
170
                        300 )                   ; Minimum TTL
171

172
        IN      NS      localhost.
173

174
; Blocked domains will be added below
175
EOF
176
    }
177

178
    # Create initial RPZ zones
179
    create_rpz_zone "malware"
180
    create_rpz_zone "ads"
181
    create_rpz_zone "tracking"
182
    create_rpz_zone "custom"
183
}
184

185
# Blocklist updater for RPZ
186
create_rpz_updater() {
187
    cat << 'EOF' | sudo tee /usr/local/bin/update-rpz-blocklists.sh
188
#!/bin/bash
189

190
# RPZ Blocklist Updater
191
ZONE_DIR="/etc/bind/zones"
192
TEMP_DIR="/tmp/rpz-update"
193
SERIAL=$(date +%Y%m%d%H)
194

195
mkdir -p "$TEMP_DIR"
196

197
# Function to convert hosts file to RPZ format
198
hosts_to_rpz() {
199
    local input_file=$1
200
    local output_file=$2
201

202
    echo "; Generated from $input_file on $(date)" > "$output_file"
203
    echo "" >> "$output_file"
204

205
    # Extract domains and convert to RPZ format
206
    grep -E "^(0\.0\.0\.0|127\.0\.0\.1)" "$input_file" | \
207
        awk '{if ($2 && $2 != "localhost") print $2 " CNAME sinkhole."}' | \
208
        sort -u >> "$output_file"
209

210
    # Add wildcards for subdomains
211
    grep -E "^(0\.0\.0\.0|127\.0\.0\.1)" "$input_file" | \
212
        awk '{if ($2 && $2 != "localhost") print "*." $2 " CNAME sinkhole."}' | \
213
        sort -u >> "$output_file"
214
}
215

216
# Update malware blocklist
217
echo "Updating malware blocklist..."
218
wget -q -O "$TEMP_DIR/malware-hosts.txt" \
219
    "https://urlhaus.abuse.ch/downloads/hostfile/"
220
hosts_to_rpz "$TEMP_DIR/malware-hosts.txt" "$TEMP_DIR/malware.rpz"
221

222
# Update ads blocklist
223
echo "Updating ads blocklist..."
224
wget -q -O "$TEMP_DIR/ads-hosts.txt" \
225
    "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
226
hosts_to_rpz "$TEMP_DIR/ads-hosts.txt" "$TEMP_DIR/ads.rpz"
227

228
# Update tracking blocklist
229
echo "Updating tracking blocklist..."
230
wget -q -O "$TEMP_DIR/tracking-hosts.txt" \
231
    "https://someonewhocares.org/hosts/zero/hosts"
232
hosts_to_rpz "$TEMP_DIR/tracking-hosts.txt" "$TEMP_DIR/tracking.rpz"
233

234
# Function to update RPZ zone
235
update_rpz_zone() {
236
    local zone_name=$1
237
    local new_data=$2
238
    local zone_file="$ZONE_DIR/db.${zone_name}.rpz"
239

240
    # Create new zone file with updated serial
241
    cat << ZONE > "$TEMP_DIR/${zone_name}.zone"
242
\$TTL 300
243
@       IN      SOA     localhost. root.localhost. (
244
                        $SERIAL         ; Serial
245
                        3600            ; Refresh
246
                        1800            ; Retry
247
                        604800          ; Expire
248
                        300 )           ; Minimum TTL
249

250
        IN      NS      localhost.
251

252
; Blocked domains
253
ZONE
254

255
    cat "$new_data" >> "$TEMP_DIR/${zone_name}.zone"
256

257
    # Check zone syntax
258
    if named-checkzone "${zone_name}.rpz" "$TEMP_DIR/${zone_name}.zone" > /dev/null 2>&1; then
259
        sudo mv "$TEMP_DIR/${zone_name}.zone" "$zone_file"
260
        echo "Updated ${zone_name} RPZ: $(grep -c "CNAME" $zone_file) domains blocked"
261
    else
262
        echo "ERROR: Invalid zone file for ${zone_name}"
263
    fi
264
}
265

266
# Update all zones
267
update_rpz_zone "malware" "$TEMP_DIR/malware.rpz"
268
update_rpz_zone "ads" "$TEMP_DIR/ads.rpz"
269
update_rpz_zone "tracking" "$TEMP_DIR/tracking.rpz"
270

271
# Reload BIND
272
sudo rndc reload
273

274
# Cleanup
275
rm -rf "$TEMP_DIR"
276

277
echo "RPZ blocklists updated successfully"
278
EOF
279

280
    sudo chmod +x /usr/local/bin/update-rpz-blocklists.sh
281

282
    # Create cron job
283
    echo "0 2 * * * root /usr/local/bin/update-rpz-blocklists.sh > /var/log/rpz-update.log 2>&1" | \
284
        sudo tee /etc/cron.d/update-rpz
285
}
286

287
# Setup custom blocking rules
288
setup_custom_blocks() {
289
    cat << 'EOF' | sudo tee -a /etc/bind/zones/db.custom.rpz
290
; Custom blocked domains
291
doubleclick.net         CNAME   sinkhole.
292
*.doubleclick.net       CNAME   sinkhole.
293
googleadservices.com    CNAME   sinkhole.
294
*.googleadservices.com  CNAME   sinkhole.
295
google-analytics.com    CNAME   sinkhole.
296
*.google-analytics.com  CNAME   sinkhole.
297
facebook.com.pixel      CNAME   sinkhole.
298
*.facebook.com.pixel    CNAME   sinkhole.
299

300
; Malware C&C servers (examples)
301
evil-malware.com        CNAME   sinkhole.
302
*.evil-malware.com      CNAME   sinkhole.
303
bad-tracker.net         CNAME   sinkhole.
304
*.bad-tracker.net       CNAME   sinkhole.
305
EOF
306
}
307

308
# Enable and start BIND
309
enable_bind() {
310
    # Check configuration
311
    sudo named-checkconf
312

313
    # Enable and start service
314
    sudo systemctl enable bind9
315
    sudo systemctl restart bind9
316

317
    # Verify it's working
318
    dig @localhost google.com
319
}
320

321
# Main installation
322
main() {
323
    echo "Setting up BIND9 DNS sinkhole..."
324
    install_bind9
325
    configure_bind9
326
    setup_rpz
327
    create_rpz_updater
328
    setup_custom_blocks
329
    enable_bind
330

331
    # Run initial update
332
    sudo /usr/local/bin/update-rpz-blocklists.sh
333

334
    echo "BIND9 DNS sinkhole setup complete!"
335
}
336

337
main

Monitoring and Analytics#

DNS Query Analytics#

1
#!/bin/bash
2
# dns-analytics.sh - Analyze DNS sinkhole queries
3

4
# Parse and analyze DNS logs
5
analyze_dns_logs() {
6
    local log_file="/var/log/bind/query.log"
7
    local output_dir="/var/www/html/dns-stats"
8

9
    mkdir -p "$output_dir"
10

11
    # Extract query statistics
12
    echo "Analyzing DNS queries..."
13

14
    # Top blocked domains
15
    grep "rpz QNAME" "$log_file" | \
16
        awk '{print $8}' | \
17
        sed 's/\.$//' | \
18
        sort | uniq -c | sort -rn | \
19
        head -50 > "$output_dir/top-blocked.txt"
20

21
    # Query types distribution
22
    awk '$0 ~ /query:/ {print $9}' "$log_file" | \
23
        sort | uniq -c | sort -rn > "$output_dir/query-types.txt"
24

25
    # Client statistics
26
    awk '$0 ~ /query:/ {print $6}' "$log_file" | \
27
        cut -d# -f1 | \
28
        sort | uniq -c | sort -rn > "$output_dir/top-clients.txt"
29

30
    # Hourly distribution
31
    awk '{print substr($1,12,2)}' "$log_file" | \
32
        sort | uniq -c > "$output_dir/hourly-distribution.txt"
33
}
34

35
# Generate HTML dashboard
36
generate_dashboard() {
37
    local output_dir="/var/www/html/dns-stats"
38

39
    cat << 'EOF' > "$output_dir/index.html"
40
<!DOCTYPE html>
41
<html>
42
<head>
43
    <title>DNS Sinkhole Analytics</title>
44
    <meta charset="UTF-8">
45
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
46
    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
47
    <style>
48
        body {
49
            font-family: Arial, sans-serif;
50
            margin: 20px;
51
            background-color: #f5f5f5;
52
        }
53
        .container {
54
            max-width: 1200px;
55
            margin: 0 auto;
56
        }
57
        .card {
58
            background: white;
59
            border-radius: 8px;
60
            padding: 20px;
61
            margin-bottom: 20px;
62
            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
63
        }
64
        .metric {
65
            display: inline-block;
66
            margin: 10px 20px;
67
        }
68
        .metric-value {
69
            font-size: 2em;
70
            font-weight: bold;
71
            color: #333;
72
        }
73
        .metric-label {
74
            color: #666;
75
            font-size: 0.9em;
76
        }
77
        table {
78
            width: 100%;
79
            border-collapse: collapse;
80
        }
81
        th, td {
82
            padding: 8px 12px;
83
            text-align: left;
84
            border-bottom: 1px solid #ddd;
85
        }
86
        th {
87
            background-color: #f8f9fa;
88
            font-weight: bold;
89
        }
90
        .chart-container {
91
            position: relative;
92
            height: 300px;
93
            margin: 20px 0;
94
        }
95
    </style>
96
</head>
97
<body>
98
    <div class="container">
99
        <h1>DNS Sinkhole Analytics Dashboard</h1>
100

101
        <div class="card">
102
            <h2>Overview</h2>
103
            <div class="metric">
104
                <div class="metric-value" id="total-queries">0</div>
105
                <div class="metric-label">Total Queries</div>
106
            </div>
107
            <div class="metric">
108
                <div class="metric-value" id="blocked-queries">0</div>
109
                <div class="metric-label">Blocked Queries</div>
110
            </div>
111
            <div class="metric">
112
                <div class="metric-value" id="block-rate">0%</div>
113
                <div class="metric-label">Block Rate</div>
114
            </div>
115
            <div class="metric">
116
                <div class="metric-value" id="unique-clients">0</div>
117
                <div class="metric-label">Unique Clients</div>
118
            </div>
119
        </div>
120

121
        <div class="card">
122
            <h2>Query Distribution</h2>
123
            <div class="chart-container">
124
                <canvas id="queryChart"></canvas>
125
            </div>
126
        </div>
127

128
        <div class="card">
129
            <h2>Top Blocked Domains</h2>
130
            <table id="blocked-domains-table">
131
                <thead>
132
                    <tr>
133
                        <th>Domain</th>
134
                        <th>Count</th>
135
                        <th>Category</th>
136
                    </tr>
137
                </thead>
138
                <tbody></tbody>
139
            </table>
140
        </div>
141

142
        <div class="card">
143
            <h2>Client Activity</h2>
144
            <table id="client-table">
145
                <thead>
146
                    <tr>
147
                        <th>Client IP</th>
148
                        <th>Queries</th>
149
                        <th>Blocked</th>
150
                        <th>Block Rate</th>
151
                    </tr>
152
                </thead>
153
                <tbody></tbody>
154
            </table>
155
        </div>
156
    </div>
157

158
    <script>
159
        // Load and display analytics data
160
        async function loadAnalytics() {
161
            try {
162
                const response = await fetch('analytics-data.json');
163
                const data = await response.json();
164

165
                // Update metrics
166
                document.getElementById('total-queries').textContent = data.totalQueries.toLocaleString();
167
                document.getElementById('blocked-queries').textContent = data.blockedQueries.toLocaleString();
168
                document.getElementById('block-rate').textContent = data.blockRate + '%';
169
                document.getElementById('unique-clients').textContent = data.uniqueClients;
170

171
                // Create query distribution chart
172
                const ctx = document.getElementById('queryChart').getContext('2d');
173
                new Chart(ctx, {
174
                    type: 'line',
175
                    data: {
176
                        labels: data.hourlyLabels,
177
                        datasets: [{
178
                            label: 'Total Queries',
179
                            data: data.hourlyQueries,
180
                            borderColor: 'rgb(75, 192, 192)',
181
                            tension: 0.1
182
                        }, {
183
                            label: 'Blocked Queries',
184
                            data: data.hourlyBlocked,
185
                            borderColor: 'rgb(255, 99, 132)',
186
                            tension: 0.1
187
                        }]
188
                    },
189
                    options: {
190
                        responsive: true,
191
                        maintainAspectRatio: false,
192
                        scales: {
193
                            y: {
194
                                beginAtZero: true
195
                            }
196
                        }
197
                    }
198
                });
199

200
                // Populate tables
201
                populateBlockedDomainsTable(data.topBlockedDomains);
202
                populateClientTable(data.topClients);
203

204
            } catch (error) {
205
                console.error('Error loading analytics:', error);
206
            }
207
        }
208

209
        function populateBlockedDomainsTable(domains) {
210
            const tbody = document.querySelector('#blocked-domains-table tbody');
211
            domains.forEach(domain => {
212
                const row = tbody.insertRow();
213
                row.insertCell(0).textContent = domain.name;
214
                row.insertCell(1).textContent = domain.count.toLocaleString();
215
                row.insertCell(2).textContent = domain.category;
216
            });
217
        }
218

219
        function populateClientTable(clients) {
220
            const tbody = document.querySelector('#client-table tbody');
221
            clients.forEach(client => {
222
                const row = tbody.insertRow();
223
                row.insertCell(0).textContent = client.ip;
224
                row.insertCell(1).textContent = client.queries.toLocaleString();
225
                row.insertCell(2).textContent = client.blocked.toLocaleString();
226
                row.insertCell(3).textContent = client.blockRate + '%';
227
            });
228
        }
229

230
        // Load data on page load
231
        loadAnalytics();
232

233
        // Refresh every 5 minutes
234
        setInterval(loadAnalytics, 300000);
235
    </script>
236
</body>
237
</html>
238
EOF
239
}
240

241
# Generate JSON data for dashboard
242
generate_analytics_json() {
243
    local output_dir="/var/www/html/dns-stats"
244
    local log_file="/var/log/bind/query.log"
245

246
    python3 - "$log_file" "$output_dir" << 'EOF'
247
import json
248
import re
249
import sys
250
from collections import defaultdict, Counter
251
from datetime import datetime
252

253
log_file = sys.argv[1]
254
output_dir = sys.argv[2]
255

256
# Initialize counters
257
total_queries = 0
258
blocked_queries = 0
259
hourly_queries = defaultdict(int)
260
hourly_blocked = defaultdict(int)
261
blocked_domains = Counter()
262
client_stats = defaultdict(lambda: {'queries': 0, 'blocked': 0})
263

264
# Parse log file
265
with open(log_file, 'r') as f:
266
    for line in f:
267
        total_queries += 1
268

269
        # Extract timestamp
270
        match = re.search(r'(\d{2}:\d{2}:\d{2})', line)
271
        if match:
272
            hour = match.group(1)[:2]
273
            hourly_queries[hour] += 1
274

275
        # Check if blocked
276
        if 'rpz QNAME' in line:
277
            blocked_queries += 1
278
            if match:
279
                hourly_blocked[hour] += 1
280

281
            # Extract blocked domain
282
            domain_match = re.search(r'rpz QNAME.*?(\S+)\s+IN', line)
283
            if domain_match:
284
                domain = domain_match.group(1).rstrip('.')
285
                blocked_domains[domain] += 1
286

287
        # Extract client IP
288
        client_match = re.search(r'client.*?(\d+\.\d+\.\d+\.\d+)', line)
289
        if client_match:
290
            client = client_match.group(1)
291
            client_stats[client]['queries'] += 1
292
            if 'rpz QNAME' in line:
293
                client_stats[client]['blocked'] += 1
294

295
# Calculate metrics
296
block_rate = round((blocked_queries / total_queries * 100) if total_queries > 0 else 0, 2)
297
unique_clients = len(client_stats)
298

299
# Prepare data for JSON
300
analytics_data = {
301
    'totalQueries': total_queries,
302
    'blockedQueries': blocked_queries,
303
    'blockRate': block_rate,
304
    'uniqueClients': unique_clients,
305
    'hourlyLabels': [f'{h:02d}:00' for h in range(24)],
306
    'hourlyQueries': [hourly_queries.get(f'{h:02d}', 0) for h in range(24)],
307
    'hourlyBlocked': [hourly_blocked.get(f'{h:02d}', 0) for h in range(24)],
308
    'topBlockedDomains': [
309
        {
310
            'name': domain,
311
            'count': count,
312
            'category': categorize_domain(domain)
313
        }
314
        for domain, count in blocked_domains.most_common(50)
315
    ],
316
    'topClients': [
317
        {
318
            'ip': ip,
319
            'queries': stats['queries'],
320
            'blocked': stats['blocked'],
321
            'blockRate': round((stats['blocked'] / stats['queries'] * 100) if stats['queries'] > 0 else 0, 2)
322
        }
323
        for ip, stats in sorted(client_stats.items(), key=lambda x: x[1]['queries'], reverse=True)[:20]
324
    ]
325
}
326

327
def categorize_domain(domain):
328
    if 'google-analytics' in domain or 'googletagmanager' in domain:
329
        return 'Analytics'
330
    elif 'doubleclick' in domain or 'adsystem' in domain:
331
        return 'Advertising'
332
    elif 'facebook' in domain or 'fbcdn' in domain:
333
        return 'Social Media'
334
    elif 'malware' in domain or 'virus' in domain:
335
        return 'Malware'
336
    else:
337
        return 'Other'
338

339
# Write JSON file
340
with open(f'{output_dir}/analytics-data.json', 'w') as f:
341
    json.dump(analytics_data, f, indent=2)
342

343
print(f"Analytics data generated: {total_queries} queries analyzed")
344
EOF
345
}
346

347
# Create analytics cron job
348
setup_analytics_cron() {
349
    cat << 'EOF' | sudo tee /usr/local/bin/update-dns-analytics.sh
350
#!/bin/bash
351

352
# Update DNS analytics
353
/usr/local/bin/dns-analytics.sh
354
EOF
355

356
    sudo chmod +x /usr/local/bin/update-dns-analytics.sh
357

358
    # Run every 15 minutes
359
    echo "*/15 * * * * root /usr/local/bin/update-dns-analytics.sh" | \
360
        sudo tee /etc/cron.d/dns-analytics
361
}

Security Hardening#

DNS Sinkhole Security#

1
graph TD
2
    A[Security Measures] --> B[Access Control]
3
    A --> C[Query Validation]
4
    A --> D[Rate Limiting]
5
    A --> E[Monitoring]
6

7
    B --> F[IP Whitelisting]
8
    B --> G[DNSSEC]
9
    B --> H[ACLs]
10

11
    C --> I[Query Sanitization]
12
    C --> J[Regex Filtering]
13
    C --> K[Response Validation]
14

15
    D --> L[Per-Client Limits]
16
    D --> M[Global Limits]
17
    D --> N[Blacklisting]
18

19
    E --> O[Log Analysis]
20
    E --> P[Anomaly Detection]
21
    E --> Q[Alerting]
22

23
    style A fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
24
    style C fill:#74c0fc,stroke:#1971c2,stroke-width:2px
25
    style E fill:#4ecdc4,stroke:#087f5b,stroke-width:2px

Security Configuration#

1
#!/bin/bash
2
# secure-dns-sinkhole.sh - Security hardening for DNS sinkhole
3

4
# Configure firewall rules
5
setup_firewall() {
6
    # Allow DNS queries only from internal networks
7
    sudo ufw allow from 192.168.0.0/16 to any port 53
8
    sudo ufw allow from 172.16.0.0/12 to any port 53
9
    sudo ufw allow from 10.0.0.0/8 to any port 53
10

11
    # Allow DNS over TLS/HTTPS
12
    sudo ufw allow 853/tcp  # DoT
13
    sudo ufw allow 443/tcp  # DoH
14

15
    # Rate limiting
16
    sudo iptables -A INPUT -p udp --dport 53 -m recent --set --name DNS
17
    sudo iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 1 --hitcount 10 --name DNS -j DROP
18

19
    # Save rules
20
    sudo netfilter-persistent save
21
}
22

23
# Setup DNSSEC
24
configure_dnssec() {
25
    # Generate DNSSEC keys
26
    cd /etc/bind/keys
27
    sudo dnssec-keygen -a RSASHA256 -b 2048 -n ZONE sinkhole
28
    sudo dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK sinkhole
29

30
    # Sign zones
31
    sudo dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) \
32
        -N INCREMENT -o sinkhole -t /etc/bind/zones/db.sinkhole
33
}
34

35
# Implement query logging and analysis
36
setup_security_monitoring() {
37
    cat << 'EOF' | sudo tee /usr/local/bin/dns-security-monitor.sh
38
#!/bin/bash
39

40
# DNS Security Monitor
41
LOG_FILE="/var/log/bind/query.log"
42
ALERT_LOG="/var/log/dns-security-alerts.log"
43

44
# Thresholds
45
QUERY_THRESHOLD=1000  # Queries per minute per client
46
NXDOMAIN_THRESHOLD=100  # NXDOMAIN responses per minute
47

48
# Monitor for anomalies
49
tail -F "$LOG_FILE" | while read line; do
50
    # Extract client IP
51
    client=$(echo "$line" | grep -oE 'client[[:space:]]+[^#]+' | awk '{print $2}')
52

53
    # Count queries per client
54
    query_count=$(grep -c "$client" "$LOG_FILE" | tail -n 1000)
55

56
    if [[ $query_count -gt $QUERY_THRESHOLD ]]; then
57
        echo "[$(date)] ALERT: High query rate from $client: $query_count queries" >> "$ALERT_LOG"
58

59
        # Temporarily block client
60
        sudo iptables -A INPUT -s "$client" -p udp --dport 53 -j DROP
61
        echo "[$(date)] Blocked $client for excessive queries" >> "$ALERT_LOG"
62
    fi
63

64
    # Check for DNS tunneling attempts
65
    if echo "$line" | grep -qE "TXT.*[a-zA-Z0-9]{50,}"; then
66
        echo "[$(date)] ALERT: Possible DNS tunneling attempt: $line" >> "$ALERT_LOG"
67
    fi
68

69
    # Check for cache poisoning attempts
70
    if echo "$line" | grep -qE "response.*REFUSED|FORMERR"; then
71
        echo "[$(date)] WARNING: Suspicious response: $line" >> "$ALERT_LOG"
72
    fi
73
done
74
EOF
75

76
    sudo chmod +x /usr/local/bin/dns-security-monitor.sh
77

78
    # Create systemd service
79
    cat << 'EOF' | sudo tee /etc/systemd/system/dns-security-monitor.service
80
[Unit]
81
Description=DNS Security Monitor
82
After=bind9.service
83

84
[Service]
85
Type=simple
86
ExecStart=/usr/local/bin/dns-security-monitor.sh
87
Restart=always
88
RestartSec=10
89

90
[Install]
91
WantedBy=multi-user.target
92
EOF
93

94
    sudo systemctl enable dns-security-monitor
95
    sudo systemctl start dns-security-monitor
96
}

Performance Optimization#

Caching and Performance#

1
#!/bin/bash
2
# optimize-dns-performance.sh - Performance tuning for DNS sinkhole
3

4
# Optimize BIND performance
5
optimize_bind_performance() {
6
    cat << 'EOF' | sudo tee -a /etc/bind/named.conf.options
7

8
// Performance tuning
9
max-cache-size 512M;
10
max-cache-ttl 3600;
11
max-ncache-ttl 300;
12

13
// Thread tuning
14
recursive-clients 10000;
15
tcp-clients 1000;
16
tcp-listen-queue 100;
17

18
// EDNS tuning
19
edns-udp-size 4096;
20
max-udp-size 4096;
21

22
// Prefetch popular records
23
prefetch 2 9;
24

25
// Minimal responses
26
minimal-responses yes;
27
EOF
28
}
29

30
# Setup Redis caching layer
31
setup_redis_cache() {
32
    # Install Redis
33
    sudo apt-get install -y redis-server redis-tools
34

35
    # Configure Redis for DNS caching
36
    cat << 'EOF' | sudo tee -a /etc/redis/redis.conf
37
# DNS Cache Configuration
38
maxmemory 1gb
39
maxmemory-policy allkeys-lru
40
save ""
41
appendonly no
42
EOF
43

44
    # Create DNS cache interface
45
    cat << 'EOF' | sudo tee /usr/local/bin/dns-cache-layer.py
46
#!/usr/bin/env python3
47

48
import redis
49
import socket
50
import struct
51
import threading
52
import time
53

54
class DNSCache:
55
    def __init__(self):
56
        self.redis = redis.Redis(host='localhost', port=6379, db=0)
57
        self.upstream_dns = '127.0.0.1'
58
        self.upstream_port = 5353  # BIND on different port
59

60
    def cache_key(self, query):
61
        return f"dns:{query['name']}:{query['type']}"
62

63
    def get_cached(self, query):
64
        key = self.cache_key(query)
65
        cached = self.redis.get(key)
66
        if cached:
67
            return cached
68
        return None
69

70
    def set_cached(self, query, response, ttl=300):
71
        key = self.cache_key(query)
72
        self.redis.setex(key, ttl, response)
73

74
    def handle_query(self, data, addr, sock):
75
        # Try cache first
76
        cached = self.get_cached(parse_dns_query(data))
77
        if cached:
78
            sock.sendto(cached, addr)
79
            return
80

81
        # Forward to upstream
82
        upstream_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
83
        upstream_sock.sendto(data, (self.upstream_dns, self.upstream_port))
84

85
        response, _ = upstream_sock.recvfrom(4096)
86
        upstream_sock.close()
87

88
        # Cache and return response
89
        self.set_cached(parse_dns_query(data), response)
90
        sock.sendto(response, addr)
91

92
    def run(self):
93
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
94
        sock.bind(('0.0.0.0', 53))
95

96
        while True:
97
            data, addr = sock.recvfrom(4096)
98
            threading.Thread(target=self.handle_query, args=(data, addr, sock)).start()
99

100
if __name__ == '__main__':
101
    cache = DNSCache()
102
    cache.run()
103
EOF
104

105
    sudo chmod +x /usr/local/bin/dns-cache-layer.py
106
}

Integration Examples#

Docker Deployment#

1
# docker-compose.yml - DNS Sinkhole Stack
2
version: "3.8"
3

4
services:
5
  pihole:
6
    container_name: pihole
7
    image: pihole/pihole:latest
8
    ports:
9
      - "53:53/tcp"
10
      - "53:53/udp"
11
      - "67:67/udp"
12
      - "80:80/tcp"
13
    environment:
14
      TZ: "America/New_York"
15
      WEBPASSWORD: "secure_password_here"
16
      PIHOLE_DNS_: "1.1.1.1;1.0.0.1"
17
      DNSSEC: "true"
18
      CONDITIONAL_FORWARDING: "true"
19
      CONDITIONAL_FORWARDING_IP: "192.168.1.1"
20
      CONDITIONAL_FORWARDING_DOMAIN: "local"
21
    volumes:
22
      - "./pihole/etc-pihole:/etc/pihole"
23
      - "./pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
24
    cap_add:
25
      - NET_ADMIN
26
    restart: unless-stopped
27

28
  unbound:
29
    container_name: unbound
30
    image: mvance/unbound:latest
31
    ports:
32
      - "5353:53/tcp"
33
      - "5353:53/udp"
34
    volumes:
35
      - "./unbound:/opt/unbound/etc/unbound"
36
    restart: unless-stopped
37

38
  grafana:
39
    container_name: grafana
40
    image: grafana/grafana:latest
41
    ports:
42
      - "3000:3000"
43
    environment:
44
      - GF_SECURITY_ADMIN_PASSWORD=admin
45
    volumes:
46
      - grafana-storage:/var/lib/grafana
47
      - ./grafana/dashboards:/etc/grafana/provisioning/dashboards
48
    restart: unless-stopped
49

50
  prometheus:
51
    container_name: prometheus
52
    image: prom/prometheus:latest
53
    ports:
54
      - "9090:9090"
55
    volumes:
56
      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
57
      - prometheus-storage:/prometheus
58
    command:
59
      - "--config.file=/etc/prometheus/prometheus.yml"
60
      - "--storage.tsdb.path=/prometheus"
61
    restart: unless-stopped
62

63
volumes:
64
  grafana-storage:
65
  prometheus-storage:

Kubernetes Deployment#

1
# dns-sinkhole-k8s.yaml - Kubernetes deployment
2
apiVersion: v1
3
kind: Namespace
4
metadata:
5
  name: dns-sinkhole
6

7
---
8
apiVersion: v1
9
kind: ConfigMap
10
metadata:
11
  name: pihole-config
12
  namespace: dns-sinkhole
13
data:
14
  TZ: "UTC"
15
  PIHOLE_DNS_: "1.1.1.1;1.0.0.1"
16
  DNSSEC: "true"
17

18
---
19
apiVersion: apps/v1
20
kind: Deployment
21
metadata:
22
  name: pihole
23
  namespace: dns-sinkhole
24
spec:
25
  replicas: 2
26
  selector:
27
    matchLabels:
28
      app: pihole
29
  template:
30
    metadata:
31
      labels:
32
        app: pihole
33
    spec:
34
      containers:
35
        - name: pihole
36
          image: pihole/pihole:latest
37
          ports:
38
            - containerPort: 53
39
              protocol: TCP
40
            - containerPort: 53
41
              protocol: UDP
42
            - containerPort: 80
43
              protocol: TCP
44
          envFrom:
45
            - configMapRef:
46
                name: pihole-config
47
          volumeMounts:
48
            - name: pihole-storage
49
              mountPath: /etc/pihole
50
            - name: dnsmasq-storage
51
              mountPath: /etc/dnsmasq.d
52
      volumes:
53
        - name: pihole-storage
54
          persistentVolumeClaim:
55
            claimName: pihole-pvc
56
        - name: dnsmasq-storage
57
          persistentVolumeClaim:
58
            claimName: dnsmasq-pvc
59

60
---
61
apiVersion: v1
62
kind: Service
63
metadata:
64
  name: pihole-dns
65
  namespace: dns-sinkhole
66
spec:
67
  selector:
68
    app: pihole
69
  ports:
70
    - name: dns-tcp
71
      port: 53
72
      protocol: TCP
73
    - name: dns-udp
74
      port: 53
75
      protocol: UDP
76
  type: LoadBalancer
77

78
---
79
apiVersion: v1
80
kind: Service
81
metadata:
82
  name: pihole-web
83
  namespace: dns-sinkhole
84
spec:
85
  selector:
86
    app: pihole
87
  ports:
88
    - name: http
89
      port: 80
90
      protocol: TCP
91
  type: ClusterIP

Maintenance and Updates#

Automated Maintenance#

1
#!/bin/bash
2
# dns-sinkhole-maintenance.sh - Automated maintenance tasks
3

4
# Backup configuration and blocklists
5
backup_sinkhole() {
6
    local backup_dir="/backup/dns-sinkhole/$(date +%Y%m%d)"
7
    mkdir -p "$backup_dir"
8

9
    # Backup Pi-hole
10
    if command -v pihole &> /dev/null; then
11
        pihole -a -t "$backup_dir/pihole-teleporter.tar.gz"
12
    fi
13

14
    # Backup BIND
15
    if [[ -d /etc/bind ]]; then
16
        tar -czf "$backup_dir/bind-config.tar.gz" /etc/bind/
17
    fi
18

19
    # Backup custom scripts
20
    tar -czf "$backup_dir/scripts.tar.gz" /usr/local/bin/*dns* /usr/local/bin/*block*
21

22
    # Rotate old backups (keep last 30 days)
23
    find /backup/dns-sinkhole -type d -mtime +30 -exec rm -rf {} \;
24
}
25

26
# Update all components
27
update_sinkhole() {
28
    echo "Updating DNS sinkhole components..."
29

30
    # Update system packages
31
    sudo apt-get update
32
    sudo apt-get upgrade -y
33

34
    # Update Pi-hole
35
    if command -v pihole &> /dev/null; then
36
        pihole -up
37
    fi
38

39
    # Update blocklists
40
    /usr/local/bin/update-blocklists.sh
41
    /usr/local/bin/update-rpz-blocklists.sh
42

43
    # Restart services
44
    sudo systemctl restart bind9 || true
45
    sudo systemctl restart pihole-FTL || true
46
    sudo systemctl restart dnsmasq || true
47
}
48

49
# Health check
50
health_check() {
51
    local status="healthy"
52

53
    # Check DNS resolution
54
    if ! dig @localhost google.com +short &> /dev/null; then
55
        echo "ERROR: DNS resolution failed"
56
        status="unhealthy"
57
    fi
58

59
    # Check if blocking is working
60
    if ! dig @localhost doubleclick.net +short | grep -q "0.0.0.0"; then
61
        echo "WARNING: Blocking might not be working"
62
        status="degraded"
63
    fi
64

65
    # Check service status
66
    for service in bind9 pihole-FTL dnsmasq; do
67
        if systemctl is-active --quiet $service 2>/dev/null; then
68
            echo "$service: active"
69
        fi
70
    done
71

72
    echo "Health check status: $status"
73
}
74

75
# Main maintenance routine
76
main() {
77
    echo "Starting DNS sinkhole maintenance: $(date)"
78

79
    backup_sinkhole
80
    update_sinkhole
81
    health_check
82

83
    echo "Maintenance completed: $(date)"
84
}
85

86
# Run with logging
87
main 2>&1 | tee -a /var/log/dns-sinkhole-maintenance.log

Best Practices#

Implementation Strategy#

1
graph TD
2
    A[Best Practices] --> B[Planning]
3
    A --> C[Implementation]
4
    A --> D[Operations]
5
    A --> E[Security]
6

7
    B --> F[Network Assessment]
8
    B --> G[Requirements Analysis]
9
    B --> H[Tool Selection]
10

11
    C --> I[Phased Rollout]
12
    C --> J[Testing]
13
    C --> K[Documentation]
14

15
    D --> L[Monitoring]
16
    D --> M[Updates]
17
    D --> N[Backup]
18

19
    E --> O[Access Control]
20
    E --> P[Audit Logging]
21
    E --> Q[Incident Response]
22

23
    style A fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
24
    style C fill:#74c0fc,stroke:#1971c2,stroke-width:2px
25
    style E fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px

Conclusion#

A well-implemented DNS sinkhole provides:

Malware Protection: Blocks communication with C&C servers
Ad Blocking: Eliminates advertisements at the network level
Privacy Enhancement: Prevents tracking and telemetry
Bandwidth Savings: Reduces unnecessary network traffic
Centralized Control: Single point for network-wide filtering
Performance Improvement: Faster browsing through local caching

Key considerations for deployment:

Choose the right solution for your environment (Pi-hole for home, BIND for enterprise)
Maintain updated blocklists from multiple reputable sources
Implement proper monitoring and alerting
Plan for redundancy and high availability
Regular maintenance and updates
User education about false positives and whitelisting

The DNS sinkhole serves as a critical first line of defense in network security, complementing other security measures while improving the overall user experience.