Add option to block all IDN domains


#1

IDN domains are not really useful for most people. But there is high risk of phishing from domains that mimic popular sites.

e.g.

apple.com != аpple . com (xn–pple-43d . com) uses cyrillic a
adidas.com != adîdas . com (xn–addas-6sa . com)
airasia.com != airasîa . com (xn–airasa-fwa . com)

It would be great if you can block all IDN domains in the settings of pihole.

All IDN domains start with xn--

INTERNATIONALISATION
Dnsmasq can be compiled to support internationalisation. To do this, the make targets “all-i18n” and “install-i18n” should be used instead of the standard targets “all” and “install”. When internationalisation is compiled in, dnsmasq will produce log messages in the local language and support internationalised domain names (IDN). Domain names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain non-ASCII characters will be translated to the DNS-internal punycode representation. Note that dnsmasq determines both the language for messages and the assumed charset for configuration files from the LANG environment variable. This should be set to the system default value by the script which is responsible for starting dnsmasq. When editing the configuration files, be careful to do so using only the system-default locale and not user-specific one, since dnsmasq has no direct way of determining the charset in use, and must assume that it is the system default.


#2

Do you know how this could be achieved with dnsmasq?


#3

I could not find anything yet.

One possibility would be to run a bash command to convert unicode to punycode and do a regex to check for IDN domain if the option for IDN filtering is set.

$ echo "президент.рф" | idn
xn--d1abbgf6aiiy.xn--p1ai

The following NEW packages will be installed:
idn
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 75.6 kB of archives.

idn is very small

@DL6ER
How is wildcard blocking done in pihole?
You could do the same thing like wildcard but convert the domain to punycode and just check the first 3 letters for ‘xn–’.


#4

It is done following the DNS regulations which makes what you suggest impossible, unfortunately.

Let me write down a quick example: You want to contact some.thing.else.com

What happens now is:

  1. Your request goes to the root servers where the first question is: Who knows about .com?
  2. Your second request is now: Who handles else.com where you are already asking the server that is responsible for .com
  3. Then you ask the else.com server for things.else.com
  4. And eventually you ask the server returned by the latest query where some.thing.else.com can be found.

Wildcard blocking works now in the following way: Say you block com. Then the very first step will already result in a blocked response, because dnsmasq is told to answer all .com requests as blocked. Same goes for else.com. While it will allow all other com requests (like ebay.com), it will block else.com and everything underneath (like another.thing.below.some.thing.else.com).

So blocking xn would block the following:

  • anything below xn

but nothing else (xn.com would be fine, text.xnxn would be fine, etc.).


#5

What I don’t know is how IDN domains are handled inside of pihole.

as президент.рф or are they automatically converted to xn--d1abbgf6aiiy.xn--p1ai

For me it looks like it handles them as xn--d1abbgf6aiiy.xn--p1ai, because it gets blocked if I have xn--d1abbgf6aiiy.xn--p1ai on block list and query президент.рф domain.

So now if the IDN block is enabled. Then I want all domains and subdomains to be blocked.

xn--d1abbgf6aiiy.xn--p1ai blocked
subdomain.xn--d1abbgf6aiiy.xn--p1ai blocked

here a couple domain examples to be blocked from my first post:
xn–pple-43d.com
xn–addas-6sa.com
xn–airasa-fwa.com

they all start with xn and two dashes

so I want a modified wildcard blocking that only looks at the first 4 characters of a domain and blocks it if it is xn--


#6

Unfortunately, that’s not how dnsmasq treats a domain. The wildcard blocking is only at the full segment (label) level, working from the right hand end. So, as mentioned above, you could block eg com. Or, you could block eg someadvertiser.com. But you can’t block eg *advert*.com Or, as in this case, xn–*

One partial option, that I use, is to have a separate conf file that contains blocks on all of the current official IDN domains ie the final segment. It doesn’t, and can’t, catch hostnames using IDN characters but it’s better than nothing.


#7

As things stand this is out of scope due to how the DNS resolver works.


#8

@stonedbovines @DL6ER
Alright, thanks for looking into this.


#9

I found the time to eventually implement GNU Extended Regular Expressions, see the announcement here:

@slawa A suitable regex for you should be

BLOCKINGREGEX=xn--

#10

Thanks! I saw this on Reddit yesterday.
This is great news. FTLDNS is a big step forward!

I very like this project. I already donated last week without knowing about this new feature.

donate

You already fulfilled your promise (purpose) one week later. :smiley: