Block Malware and Ransomware With Pi-hole

The ability to block ads has become an almost mandatory security control. As seen in this story, malvertising is a vector of infection that is capable of doing significant damage to enterprise networks. There are various tactics that can be deployed to block malvertising in a variety of popular browsers. A great rundown of how to apply these techniques at scale in the enterprise can be found here. But it is possible to do more.

Pi-hole is a simple DNS server that can be deployed on your network to block DNS lookups for servers known to serve advertising. This has the effect of blocking the malvertising before it can ever be downloaded to your system, and works across a variety of platforms, from smartphones to desktops, running Windows, Linux, or Mac OS.

Despite the name, the software does not require a Raspberry Pi. You can run the software on one if you wish, but they also support a variety of popular Linux platforms. I have installed Pi-hole on a CentOS vm in my lab network.

The interface is simple but offers a number of powerful options. It would be sufficient for all but the most sophisticated networks (those running AD or LDAP for example). Even on these networks, PI-Hole can be used to process lookups for advertising domains before forwarding other traffic to BIND or Windows DNS servers.

While some may disagree with the rightness or legality of blocking ads, the fact that malvertising is an infection vector is inescapable. For the owners of sites, contracting with a third party to infect my user’s systems is not an acceptable business model. When this get cleaned up, maybe things like Pi-Hole will not be necessary. Until then, I look forward to having it in a place as an additional layer of defense on my network.

DHCP on CentOS 7

If you are like me, you have a lab at home running IT products and software a normal person would not have in their home. Also if you are like me, you purchased a Technet subscription from Microsoft back in the day to equip your lab with Microsoft Windows Server software in order to test various things and power services on your lab network.

Unfortunately, Microsoft chose to discontinue the Technet program. This was reportedly due to abuse, with people paying for Technet instead of buying Office, etc. Regardless Technet as we knew it no longer exists and any Windows Server Software obtained while the program was still active is pretty old. My lab Windows Servers were all running plain-old Server 2008.

Wanting to both transition off of an aging Windows platform, and also add to my Linux knowledge and get away from MS software for essential servers in my lab, I undertook a project to begin replacing my DHCP servers running Server 2008 with CentOS 7 servers.

The project was not that difficult, and so far seems to be successful. The instructions I used here, were very good, and if you follow them closely, they are enough to get an Linux-powered DHCP server up and running.

I did run into a couple of issues however, and will describe them here. First, when defining reservations on your server, make sure that host names are unique. You could have a situation where a notebook has a reservation for both its wired and wireless interfaces. These will need slightly different names.

Secondly, Once your server is up and running, you will want to verify it is working properly and issuing the addresses it should be. Since the CentOS server has no gun, this is a bit trickier than it would be on Windows. What you will want to do is check the /var/lib/dhcpd/dhcpd.leases file, or the /var/log/messages file. The latter will show reservations, while the former is useful for seeing normal leases.

Overall the project works well, and I look forward to the next phase, replacing Windows DNS with BIND.