I was looking for a way to implement Web Filtering on GNU/Linux. While I knew about using squidguard for that purpose, it proved to be quite complicated to set up and particularly challenging to deploy automatically on every workstation, especially when not managed by an Active Directory domain. That's when I came across the DynFi Open Source firewall, which is capable of Web Filtering and utilizes RPZ to achieve this. Thus, I started studying this solution and found a way to implement Web Filtering with RPZ.
In this architecture, we will have a Debian serving as both a DNS and a web server. When a client request for a site that is forbidden (as per a pre-established blocklist), they will be redirected to the web server, where a blocked web page message will be displayed in their browsers.
As described above, we will have two services running on our Debian server: a web server to display a simple text message informing users that they are attempting to connect to a forbidden website, and a DNS service to provide clients with correct or modified DNS responses. For the web server, I will use micro-httpd, which is a lightweight HTTP server that perfectly suits our needs, and Unbound as the DNS server.
To inform users that the requested page is blocked, we will require a web server that will display a denied web page, informing them that the website they are trying to access is forbidden.
root@host:~# apt install micro-httpd
www stream tcp nowait nobody:www-data /usr/sbin/tcpd /usr/sbin/micro-httpd /var/www/html
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Access Forbidden</title> </head> <body> <h1>Access Forbidden</h1> <p>Sorry, but you do not have permission to access this page.</p> </body> </html>
root@host:~# chown -R www-data:www-data /var/www/html
Open a web browser and navigate to http://192.168.0.200/ to verify if you can see the blocked web page.
root@host:~# apt install unbound
server: module-config: "respip validator iterator" # Load respip, validator, and iterator modules interface: 192.168.0.200 # Network interface used for DNS queries interface: 127.0.0.1 # Loopback interface used for local DNS queries do-ip4: yes # Enable IPv4 support do-ip6: no # Disable IPv6 support do-udp: yes # Enable UDP support for DNS queries do-tcp: yes # Enable TCP support for DNS queries do-daemonize: yes # Run Unbound as a daemon (in the background) access-control: 0.0.0.0/0 allow # Allow all IP addresses to make DNS queries local-zone: "std.priv." static # Define a local zone for DNS queries local-data: "denied.std.priv. IN A 192.168.0.200" # Define a local DNS entry for a specific domain local-data-ptr: "192.168.0.200 denied.std.priv." # Define a local DNS PTR entry for a specific IP address rpz: name: rpz.std.rocks # RPZ zone name zonefile: /etc/unbound/blacklist.zone # RPZ zone file used for DNS query filtering
*.orange.fr IN A 192.168.0.200 *.google.fr IN A 192.168.0.200
root@host:~# systemctl restart unbound
Now that we have built our web filtering system, it is time to make it useful. To do so, we will download a block list file and format it to make it work with our architecture. There are many different lists available on the internet (search for RPZ block list). Let's try one of the lists available on https://github.com/hagezi/dns-blocklists.
website.to.block CNAME .
website.to.block IN A 192.168.0.200
So, how can we translate the default format to the one useful in our architecture, as seen above? There are different approaches, but personally, I will use the sed editor. Let's see how to do that!
root@host:~# wget https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/multi.txt
root@host:~# sed -i 's/CNAME.*/IN A 192.168.0.200/' multi.txt
Note: To prevent users from bypassing the policy, I recommend adding a DoH/VPN/TOR/Proxy list and blocking DoH IP addresses on your firewall. (Check this list: https://github.com/crypt0rr/public-doh-servers).