Skip to content

Latest commit

 

History

History
133 lines (105 loc) · 7.78 KB

README.md

File metadata and controls

133 lines (105 loc) · 7.78 KB

🏷️ NameGate

NameGate is a standalone, independent DNS blocking service similar to Pi-hole. It supports running on both Linux (including Raspberry Pi arm/arm64) and Windows. It is extremely easy to setup and deploy, and has a basic web UI that allows for whitelisting of domains, hosts, and exposes other features.

⚠️ Disclosure

I wrote this project in a rage-filled frenzy after I couldn't Pi-hole to run in a Proxmox LXC container. It was largely written over the span of a few evenings and it has been running my home network for the last 6 months with no issues. Still, given the nature of the project and it's hasty creation, you probably shouldn't use it in a mission-critical situation.

🥧 Versus Pi-hole

What sets NameGate apart is that it doesn't rely on any other system services or applications such as FTL DNS, dnsmasq, lighthttpd, etc. All functionality is contained in one single project, thus it is extremely easy to deploy and maintain.

🧠 Features

NameGate is a very simple project. It features a web interface that can do the following:

  • Whitelist certain domains, including allowing glob-style wildcards.
    • someaddomain.com would only allow queries for that specific domain.
    • *.someaddomain.com would allow queries such as asdf.someaddomain.com, jkl.someaddomain.com, etc.
    • *someaddomain.com would allow the above, as well as names like asdfsomeaddomain.com.
  • Blocklist bypass for certain hosts that shouldn't be subject to domain filtering.
    • By IP, such as 192.168.1.12, 192.168.1.*, etc as above.
    • By Hostname, such as DESKTOP-ASDFJKL, DESKTOP-*, etc as above.
      • Ensure host name lookup is functional using the ReverseLookupServer config option detailed below.
  • A quick tool to check if a domain is blocked.
    • Enter your domain right in the web UI and it will show if it's blocked or not.
  • A simple statistics page to see what kinds of queries are being performed which hosts are making the most queries (blocked or othewise).
    • Track which hosts are making the most blocked queries.
    • Track which blocked domains are being queried the most.
  • A live query log, to see what hosts are querying what domains in real time.
    • Useful for diagnostics.
    • Able to see if the request was allowed or blocked.

🛑 Block lists

Currently, NameGate utilizes three block lists:

  1. The FireBog block list collection, specifically from this URL.
  2. The oisd block list, specifically from this URL.
  3. The Steven Black host list, specifically from this URL.

Block lists automatically refreshed every 24 hours (configurable), and are cached on disk.

✅ Setup

NameGate is quite simple to deploy. It can be ran standalone or as a service, however you choose.

🐋 Running with Docker

Clone this repo and build with docker build -t namegate .. You can then start it with something like this:

docker run -p 8080:8080 -p 53:53/udp namegate --DnsServers:0=1.1.1.1 --DnsServers:1=1.0.0.1

This will start NameGate with the CloudFlare dns servers 1.1.1.1 and 1.0.0.1. You can use the below to configure the service to run at startup as a daemon like so:

docker run -d --restart always -p 8080:8080 -p 53:53/udp namegate --DnsServers:0=1.1.1.1 --DnsServers:1=1.0.0.1

📝 Configuration and Starting

Download the latest binaries from the releases page, and extract to your desired location.

Optionally modify appsettings.json, where you can configure which DNS servers are used to fulfill standard queries using the DnsServers array.

You can also configure ReverseLookupServer (--ReverseLookupServer=192.168.0.1 with Docker) to a DNS server that is able to perform IP address reverse lookups, ie PTR record lookups. Doing so will show hostnames in the UI, and allow host bypassing by hostname. If left null, we will try with the first in DnsServers.

Launch the service using ./NameGate --urls=http://127.0.0.1:80/.

This will allow you to access the web UI from the localhost. If you want to access it from anywhere you could set that IP to 0.0.0.0, but NameGuard doesn't currently have any sort of user authentication so anyone could simply access the web UI if it is publicly exposed.

If you want add security to the NameGate web UI, consider a reverse proxy such as caddy with their basic_auth directive.

🧪 Testing

You can test queries against your NameGate instance using the nslookup command.

  1. Ensure NameGate is running
  2. Open your terminal and run nslookup.
  3. Enter server 192.168.1.123, or whatever the IP of your NameGate server is.
  4. Enter a domain to lookup, such as github.com.. Notice the . at the end of the domain, this is important.
  • This should give a normal result that contains the standard Github domain lookup results.
  1. Enter a known blocked domain, such as ads.youtube.com..
  • This should instead give you a REFUSED or Query refused result.

If all this goes well, you should have a functional NameGate instance that is ready for use.

⚒️ Running as a Service

You can setup the NameGate executable to run as a service on both Linux and Windows.

🐧 Linux (systemd)

Below is an example systemd service file. Place it in /etc/systemd/system/namegate.service, enable it to start at boot using systemctl enable namegate, and start it with systemctl start namegate. Make sure to change the paths below to match where you extracted the files.

[Unit]
Description=NameGate service
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/root/NameGate
ExecStart=/root/NameGate/NameGate --urls=http://0.0.0.0:80/

[Install]
WantedBy=multi-user.target

🪟 Windows

Create the service using the bit of powershell below. Make sure to change the path to match where you extracted the files.

$exePath = "C:\NameGate"
New-Service -Name "NameGate" -BinaryPathName "$exePath/NameGate.exe --contentRoot $exePath --urls=http://0.0.0.0:80/" -Description "NameGate service" -DisplayName "NameGate" -StartupType Automatic
Start-Service "NameGate"

To remove the service you use this:

Stop-Service "NameGate"
$service = Get-WmiObject -Class Win32_Service -Filter "Name='NameGate'"
$service.delete()

💥 Troubleshooting

Service won't start

If the service won't start, make sure nothing else is listening on port 53. You can locate the proces that's claiming the port using lsof -i :53 on Linux, and netstat -abno on Windows.

In my case (a Proxmox LXC container), systemd-resolved was claiming the port so I disabled it using systemctl disable systemd-resolved.

You can also look at the logs using the console if running standalone, or journalctl -fu namegate -n 100 if running as a systemd service described above.

💡 Technologies

NameGate takes advantage of a number of cool technologies that I'm quite passionate about.