-
Notifications
You must be signed in to change notification settings - Fork 4
/
gudgeon-full.yml
220 lines (207 loc) · 7.99 KB
/
gudgeon-full.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
---
# ====================================================================
# More full featured block list to show more features and explain them
# ====================================================================
gudgeon:
# filesystem locations for gudgeon data
home: ./.gudgeon/
storage:
# hash storage options are lightweight but cannot report on the rule
# that was violated
# - hash32
# - hash
# memory storage takes a lot more memory but is fast and can report the
# name of the violated rule
# - memory
# bloom storage has a low memory requirement but can produce false-positives
# -bloom
# sqlite is slow and uses disk space but requires almost no memory overhead
# - sqlite
# combining any of the hash or bloom options with sqlite allows them to
# not have any false-positives and allows them to report the rule violation
# while increasing the speed of the sql option
# - bloom+sqlite
# - hash32+sqlite
# - hash+sqlite
rules: "bloom+sqlite"
# global values
global:
maxTtl: 86400 # allow a max ttl of one day
minTtl: 0 # allow immediate expiration ttls
blockResponse: NXDOMAIN # response when a domain is blocked (found in a block list)
# can be NXDOMAIN, ENDPOINT, or a specific IP.
# NXDOMAIN returns NXDOMAIN (no domain found)
# ENDPOINT returns the IP of the endpoint that serviced the request
# Setting a specific IP ("192.168.0.1", "0.0.0.0", or "127.0.0.1") will override the response for that domain
# common database settings for metrics/query log
database:
flush: 1s # shared setting for query log and metrics, this is how often buffered items will be flushed to their target tables (minimum/default is 1s)
# the query log is used to log queries to disk for later inspection or revision
query_log:
enabled: true # enabled by default, to disable query log set to "false"
persist: true # if not true then the queries will only be logged to disk (if that is enabled) (default: true)
duration: 10d # how long to keep queries on disk, older queries are deleted
stdout: false # should queries be logged to standard out
file: ./.gudgeon/logs/query.log # log queries to file AND stdout (you can set stdout to false and log to jsut the file)
lookup: true # enable reverse lookups (default: true)
mdns: true # if lookup is enabled, use mdns/avahi/zeroconf/bonjour for getting device/computer names (default: true)
# if this is enabled, ip reverse lookups are used first
netbios: true # if lookup is enabled, use netbios to lookup unamed services (after ip lookup and mdns lookup)
# metrics can be saved to disk for use by the ui or exported to something like prometheus
metrics:
enabled: true # enabled by default, to disable metrics set to "false"
persist: true # will metrics be persisted to the database, if false only the current interval is visible (default: true)
detailed: true # enabled by default: save per-domain, per-client, per-rule, per-list, per-type metrics
duration: 10d # how long to save metrics for, they will be deleted/removed after this period
interval: 15s # how often to write periodic metrics to the log, lowering the interval increases storage requirements (min is 1s)
# control network options
network:
# enable udp and tcp protocols
tcp: true
udp: true
# interfaces where gudgeon will listen
interfaces:
- ip: 0.0.0.0
port: 5354
sources:
- name: google-sources
spec:
- 8.8.8.8/tcp-tls
- 8.8.4.4/tcp-tls
balance: true
resolvers:
# resolvers specify what dns sources to use. the default resolver
# is used for groups with no resolvers.
- name: default # a name to identify the resolver group
hosts: # you can specify host entries inline
- 172.0.0.1 gudgeon.io # normal host entry
- gudgeon.io apps.gudgeon.io # host alias/cname entry (apps.gudgeon.io is aliased to gudgeon.io)
- 172.0.0.2 *.apps.gudgeon.io # wildcard entry
sources: # a list of sources to use to get IP information
# these can be:
# The IP of an upstream server
# A path to a file (a hosts file or a zone file)
# The name of another DNS group
- local
- internal
- att
- google
- cloudflare
- name: google
sources:
- google-sources
- name: local
search:
- lan
sources:
- /etc/hosts
- name: cloudflare
sources:
- 1.1.1.1
- name: att
domains: # provide the ability to resolve specific addresses from a different dns (and only those addresses)
- att.net # match a glob style string against the domain
- apple.com
- twc.com # match just the (sub) domain
sources:
- 192.168.1.254
- name: internal # you can also do domain matching with local/internal sources
domains:
- "*.lan"
- "*.local"
sources:
- /etc/gudgeon/hosts/localhosts
- 192.168.2.6 # and add local intranet for those sources if required
# a list of lists to get/download/etc and parse for use to block by various groups
lists:
- name: global whitelist
type: allow # explicitly allow entries in this list
src: ".gudgeon/lists/global_whitelist.list"
tags:
- default
- name: stevenblack
src: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
tags:
- ads
- name: malwaredomains
src: https://mirror1.malwaredomains.com/files/justdomains
tags:
- malware
- name: cameleon
src: http://sysctl.org/cameleon/hosts
tags:
- ads
- malware
- name: malvertising
src: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
tags:
- default
- malicious
# the privacy list has no tags so a "default" tag will be added
- name: privacy
src: https://v.firebog.net/hosts/Easyprivacy.txt
# these are groups that tie hosts to the specific set of blocklists
# that they are supposed to use
groups:
# the group name functions as a tag match and the 'default' group is always present
# but here we are explicitly adding 'ads' and 'malware'. These could also be added
# by setting 'default' as one of the tags on those lists. since the default group
# is always present it will be matched by any non-matched consumer. You cannot restrict
# the default group by consumers.
- name: default
resolvers:
- default
tags:
- default
- ads
- malware
# here we define an extra group for use by specific users/machines that provides
# extra protection against malicious domains. it explicitly adds the 'privacy' list by name as
# well as the 'ads' blacklist.
- name: users
lists:
- privacy
- ads
blockResponse: ENDPOINT # override the block response for this group
# here we define an open group. this would be useful for machines that need
# broader domain access or that have issues with false-positives.
- name: open
# consumers are how machine IPs/endpoints/networks are mapped to groups. all
# unmatched consumers belong to the 'default' group.
consumers:
# the endusers group maps a few IPs (explicitly and by range) to the
# users group which blocks certain categories of DNS domains.
# (and the default group)
- name: endusers
groups:
- default
- users
matches:
# explicit ip match
- ip: 10.0.0.30
# range match
- range:
start: 10.0.0.35
end: 10.0.0.45
# the openmachines group maps to the open (and default) group and does so for the
# entire 10.0.2.0/24 subnet.
- name: openmachines
groups:
- open
- default
matches:
# subnet match
- net: 10.0.2.0/24
# match and allow local networks (routable private networks)
- name: localtraffic
groups:
- default
matches:
- ip: 127.0.0.1
- ip: ::1
- net: 172.0.0.0/8
- net: 192.0.0.0/8
- net: 10.0.0.0/8
# block unmatched consumers by default
- name: default
block: true