Malware blocklist package?

IvyMike · October 2, 2020, 6:20am

Can anybody recommend a package/tool that will automatically block DNS requests to malware domains, C&C etc based on some publish list?

I see that some of the Adblock packages may allow this to work, but would like to know if anybody is using something specific to malware?

Bobcat · October 2, 2020, 9:34am

There are Malware specific Adblock lists :

github.com

openwrt/packages/blob/master/net/adblock/files/README.md

# DNS based ad/abuse domain blocking

## Description
A lot of people already use adblocker plugins within their desktop browsers, but what if you are using your (smart) phone, tablet, watch or any other (wlan) gadget!? Getting rid of annoying ads, trackers and other abuse sites (like facebook) is simple: block them with your router. When the DNS server on your router receives DNS requests, you will sort out queries that ask for the resource records of ad servers and return a simple 'NXDOMAIN'. This is nothing but **N**on-e**X**istent Internet or Intranet domain name, if domain name is unable to resolved using the DNS server, a condition called the 'NXDOMAIN' occurred.  

## Main Features
* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)

| Source              | Enabled | Size | Focus            | Information                                                                       |
| :------------------ | :-----: | :--- | :--------------- | :-------------------------------------------------------------------------------- |
| adaway              | x       | S    | mobile           | [Link](https://github.com/AdAway/adaway.github.io)                                |
| adguard             | x       | L    | general          | [Link](https://adguard.com)                                                       |
| anti_ad             |         | L    | compilation      | [Link](https://github.com/privacy-protection-tools/anti-AD/blob/master/README.md) |
| android_tracking    |         | S    | tracking         | [Link](https://github.com/Perflyst/PiHoleBlocklist)                               |
| andryou             |         | L    | compilation      | [Link](https://gitlab.com/andryou/block/-/blob/master/readme.md)                  |
| anudeep             |         | M    | compilation      | [Link](https://github.com/anudeepND/blacklist)                                    |
| bitcoin             |         | S    | mining           | [Link](https://github.com/hoshsadiq/adblock-nocoin-list)                          |
| disconnect          | x       | S    | general          | [Link](https://disconnect.me)                                                     |
| energized_blugo     |         | XL   | compilation      | [Link](https://energized.pro)                                                     |
| energized_blu       |         | XL   | compilation      | [Link](https://energized.pro)                                                     |

This file has been truncated. show original

lleachii · October 2, 2020, 4:15pm

IvyMike · October 2, 2020, 8:51pm

Thank you. I've gone with the adblock option plus Openflare DNS malware block. It seems many of the blocklists for malware that adblock is using are 6 months to 2 years old sadly.

lleachii · October 2, 2020, 9:05pm

Are you running the most recent version of OpenWrt/Adblock?

IvyMike · October 2, 2020, 9:28pm

OpenWRT: 19.07.4
Adblock: 4.0.6

Seem fairly recent ....

Bobcat · October 3, 2020, 11:49am

Can you assist me with Openflare, I don't seem to find and would like to consider also...

IvyMike · October 4, 2020, 7:33am

Apologies, I mean to write CloudFlare DNS. Details are here, They offer a malware only filtering address ...details here:

Bobcat · October 4, 2020, 3:42pm

Thanks, I didn't realize, but my secondary DNS 1.1.1.1 was already there. So now I configured primary and secondary as per below :

Furthermore, I agree that the Adblock Malware specific lists seem quite obsolete, dating over 2 years ago.

This leads to a false sense of security, a lot happens in a period of two years, this is like running unpached for 2 years... Unthinkable !

Surely there must be a solution to this issue ?

lleachii · October 4, 2020, 4:09pm

The block lists I receive are up to date. This is why I didn't respond. Feel free to ask in the Adblock support thread if you disagree.

Bobcat · October 4, 2020, 4:41pm

I don't dispute that block lists in general are up to date, but if you follow the link I posted earler, the 2 malware specific links point to very obsolete lists, am I wrong in that assessment ?

dibdot · October 4, 2020, 4:59pm

The two list sources with "malware" in their names have the following time stamps:

malwaredomainlist

I can't see any issue here. Said that, just use other lists/sources if you are not satisfied with the selection or the update frequency. Most of the "general" lists are also includes malware sites - it's up to you to find the "best" sources, derived from your personal surfing behaviour.

IvyMike · October 6, 2020, 7:42am

You are not wrong, Some of the lists are over 2 years old, especially the malware ones. Even the one dibdot pointed to is 10 months old. In the world of rapidly moving malware I think this is going to give some protection but certainly to offer protection from the latest malware campaigns.

Perhaps the block list approach is not right for that kind of protection. As with all things security, it's best provided with multiple layers.

system · October 16, 2020, 7:42am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.