Bug#961200: ITP: nfq -- The NFQUEUE based IDN/punicode DNS filter to mitigate homograph phishing attacks
Package: wnpp
Severity: wishlist
Owner: Joachim Bauernberger <joachim.bauernberger@protonmail.ch>
* Package name : nfq
Version : 1.0.6
Upstream Author : Name <joachim.bauernberger@protonmail.com>
* URL : https://gitlab.com/jbauernberger/nfq/
* License : GPLv3
Programming Lang: C
Description : The NFQUEUE based IDN/punicode DNS filter to mitigate
homograph phishing attacks
NFQ is a DNS packet filter that interfaces with the libnetfilter_queue Linux
kernel subsystem. It identifies any punicode domain names by matching the
string "xn--" in DNS questions or answers. NFQ stops all homograph phishing
attacks for lookalike domains. NFQ can run either directly on a Linux based
workstation, and before your DNS cache and/or on a gateway.
NFQ is not replacement for /etc/hosts: E.g. NFQ is not for blacklisting which
would be a poor security guarantee for homograph attacks. Instead NFQ blocks
all punicode domains by default and uses an (optional) whitelist to explicitly
allow certain selected IDN domains which you know are safe.
NFQ is for environments with strict anti-phishing policies. We assume:
• you are using some kind of dnscache (e.g. djbdns, dnsmasq, unbound,
etc ...) which then forwards any queries to an upstream DNS server (e.g.
8.8.8.8 or 1.1.1.1 etc), and ...
• you have configured your browser to use your DNS cache instead of
resolving directly via upstream reolver over DoH. (nfq works on the kernel
queue so you can still use DoH for outgoing forwarded queries as part with
dnsmasq or unbound etc ... nfq doesn't prevent you from using DoH)
• you will be adding the iptables manually so that nfq can intercept
packages, this is outside the scope of the nfq installer, see the README and
examples how to do this.
Reply to: