Block Malware and Ransomware With Pi-hole

The ability to block ads has become an almost mandatory security control. As seen in this story, malvertising is a vector of infection that is capable of doing significant damage to enterprise networks. There are various tactics that can be deployed to block malvertising in a variety of popular browsers. A great rundown of how to apply these techniques at scale in the enterprise can be found here. But it is possible to do more.

Pi-hole is a simple DNS server that can be deployed on your network to block DNS lookups for servers known to serve advertising. This has the effect of blocking the malvertising before it can ever be downloaded to your system, and works across a variety of platforms, from smartphones to desktops, running Windows, Linux, or Mac OS.

Despite the name, the software does not require a Raspberry Pi. You can run the software on one if you wish, but they also support a variety of popular Linux platforms. I have installed Pi-hole on a CentOS vm in my lab network.

The interface is simple but offers a number of powerful options. It would be sufficient for all but the most sophisticated networks (those running AD or LDAP for example). Even on these networks, PI-Hole can be used to process lookups for advertising domains before forwarding other traffic to BIND or Windows DNS servers.

While some may disagree with the rightness or legality of blocking ads, the fact that malvertising is an infection vector is inescapable. For the owners of sites, contracting with a third party to infect my user’s systems is not an acceptable business model. When this get cleaned up, maybe things like Pi-Hole will not be necessary. Until then, I look forward to having it in a place as an additional layer of defense on my network.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s