From cfa7b6c9e15694ea6a95cbc9422990a7b9bf9889 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 27 Sep 2024 16:34:56 +0200
Subject: [run-virt] firewall: Entries for hostnames wihout port are blocked
 via DNS

If we block a host by name instead of IP address, and don't have
a specific port only, block the host by filtering DNS lookups.
Also, ship a list of public DoH servers so we can block them on
the network level.
---
 .../run-virt/data/etc/systemd/system/dnsmasq.conf  |    1 +
 .../data/opt/openslx/vmchooser/data/doh-servers    | 1047 ++++++++++++++++++++
 .../vmchooser/run-virt.d/setup_firewall.inc        |   58 +-
 .../opt/openslx/vmchooser/scripts/set-firewall     |   98 +-
 core/modules/run-virt/module.conf                  |    1 +
 core/modules/run-virt/module.conf.debian           |    1 +
 core/modules/run-virt/module.conf.ubuntu           |    1 +
 7 files changed, 1198 insertions(+), 9 deletions(-)
 create mode 120000 core/modules/run-virt/data/etc/systemd/system/dnsmasq.conf
 create mode 100644 core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers

diff --git a/core/modules/run-virt/data/etc/systemd/system/dnsmasq.conf b/core/modules/run-virt/data/etc/systemd/system/dnsmasq.conf
new file mode 120000
index 00000000..dc1dc0cd
--- /dev/null
+++ b/core/modules/run-virt/data/etc/systemd/system/dnsmasq.conf
@@ -0,0 +1 @@
+/dev/null
\ No newline at end of file
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
new file mode 100644
index 00000000..1c845d2b
--- /dev/null
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
@@ -0,0 +1,1047 @@
+1.0.0.2
+1.0.0.3
+102.211.206.93
+103.111.114.25
+103.114.162.65
+103.124.106.233
+103.150.116.100
+103.150.191.84
+103.151.141.132
+103.157.26.111
+103.179.44.127
+103.179.44.73
+103.179.45.6
+103.199.16.93
+103.230.156.210
+103.2.57.5
+103.2.57.6
+103.28.53.16
+103.4.235.188
+103.52.152.237
+103.73.65.33
+103.76.129.94
+103.82.55.174
+103.86.96.100
+103.86.99.100
+104.128.190.108
+104.156.231.119
+104.16.248.249
+104.16.249.249
+104.18.20.135
+104.18.21.135
+104.192.102.132
+104.200.67.194
+104.21.10.53
+104.21.1.225
+104.21.15.217
+104.21.19.42
+104.21.23.50
+104.21.32.104
+104.21.32.168
+104.21.37.15
+104.21.39.232
+104.21.42.155
+104.21.43.188
+104.21.45.43
+104.21.46.83
+104.21.50.235
+104.21.51.174
+104.21.54.170
+104.21.54.247
+104.21.55.112
+104.21.62.158
+104.21.62.45
+104.21.65.213
+104.21.65.52
+104.21.66.214
+104.21.70.2
+104.21.72.75
+104.21.73.30
+104.21.77.24
+104.21.82.77
+104.21.88.221
+104.21.9.198
+104.21.94.149
+104.21.95.188
+104.236.116.148
+104.237.9.13
+104.238.154.123
+104.245.12.187
+104.26.14.167
+104.26.15.167
+104.26.2.137
+104.26.3.137
+104.36.148.46
+104.36.86.181
+106.55.44.79
+107.173.187.132
+107.173.201.165
+108.175.15.215
+108.181.69.153
+108.28.106.117
+108.61.208.139
+109.123.236.250
+109.173.161.127
+109.205.61.98
+109.236.119.2
+109.236.120.2
+109.74.205.250
+1.1.1.2
+1.1.1.3
+112.163.234.84
+112.213.32.219
+1.15.151.82
+116.121.57.111
+116.202.176.26
+116.202.20.237
+116.202.221.233
+116.202.98.177
+116.203.112.223
+116.203.135.71
+118.163.170.2
+124.217.247.170
+128.139.197.53
+128.140.110.120
+128.140.15.70
+128.140.89.73
+128.93.162.64
+129.151.162.166
+129.153.224.48
+129.213.138.95
+129.80.39.60
+130.162.39.94
+130.59.31.248
+130.59.31.251
+130.61.173.117
+130.61.24.160
+130.61.92.162
+132.145.83.120
+132.145.97.66
+134.195.88.13
+134.195.88.130
+134.195.90.139
+134.255.247.23
+135.125.236.63
+135.148.148.66
+135.181.144.157
+138.201.81.119
+138.2.122.236
+138.2.29.144
+138.2.99.140
+139.144.16.229
+139.162.109.244
+139.199.163.65
+139.84.164.110
+140.238.10.79
+140.238.14.191
+140.238.174.86
+140.238.175.157
+140.238.221.228
+140.238.40.138
+140.238.48.65
+140.83.63.108
+141.144.233.11
+141.145.202.228
+141.147.104.192
+141.94.237.28
+141.98.196.27
+142.132.235.81
+143.47.188.43
+143.47.228.93
+143.47.51.218
+144.22.212.131
+144.22.247.219
+144.24.143.144
+144.76.199.177
+146.112.41.2
+146.112.41.3
+146.112.41.5
+146.255.56.98
+146.56.118.112
+146.56.137.68
+146.56.160.153
+146.56.176.39
+146.56.52.205
+147.189.140.136
+149.112.112.10
+149.112.112.11
+149.112.112.112
+149.112.112.12
+149.112.121.10
+149.112.121.20
+149.112.121.30
+149.112.122.10
+149.112.122.20
+149.112.122.30
+149.154.123.105
+149.154.123.215
+149.154.123.216
+149.28.101.119
+150.230.35.93
+15.197.238.60
+152.67.2.102
+152.67.218.14
+152.69.208.19
+152.70.156.129
+152.70.218.58
+152.70.65.93
+152.89.104.20
+152.89.107.99
+153.126.167.61
+153.135.18.56
+154.16.159.22
+155.138.148.63
+155.248.232.226
+157.20.83.135
+157.230.188.174
+157.90.124.62
+158.101.157.9
+158.64.1.29
+159.69.100.236
+159.69.4.2
+161.132.47.185
+162.14.21.178
+162.14.21.56
+162.159.61.4
+162.254.86.13
+162.55.169.60
+163.172.131.116
+163.47.117.176
+164.90.207.7
+164.90.245.136
+165.140.117.248
+167.235.31.95
+168.119.55.211
+168.138.168.232
+168.138.198.14
+168.235.111.72
+169.150.247.36
+170.205.36.91
+170.249.237.154
+172.104.175.59
+172.104.92.233
+172.105.152.133
+172.232.203.30
+172.233.147.42
+172.233.67.204
+172.64.41.4
+172.65.132.254
+172.65.133.172
+172.65.135.187
+172.65.156.232
+172.67.131.61
+172.67.136.253
+172.67.137.18
+172.67.137.57
+172.67.140.171
+172.67.140.175
+172.67.143.159
+172.67.152.102
+172.67.153.19
+172.67.153.195
+172.67.157.54
+172.67.164.130
+172.67.164.99
+172.67.167.20
+172.67.170.250
+172.67.171.211
+172.67.171.30
+172.67.176.100
+172.67.183.53
+172.67.184.76
+172.67.185.141
+172.67.185.52
+172.67.189.139
+172.67.198.92
+172.67.202.105
+172.67.203.143
+172.67.206.148
+172.67.209.107
+172.67.209.51
+172.67.213.216
+172.67.217.1
+172.67.219.248
+172.67.69.149
+172.67.75.64
+172.93.186.79
+173.208.212.205
+173.230.148.127
+173.249.203.52
+173.249.208.245
+173.249.208.251
+173.255.201.254
+173.255.240.189
+174.138.29.175
+176.10.125.47
+176.111.223.167
+176.123.10.105
+176.12.45.174
+176.9.1.117
+176.9.25.158
+176.9.93.198
+178.209.51.242
+18.200.70.220
+18.202.82.211
+18.252.156.1
+18.254.96.167
+185.111.188.46
+185.131.216.30
+185.139.7.51
+185.150.99.255
+185.156.205.20
+185.16.60.194
+185.181.61.24
+185.183.159.34
+185.194.53.22
+185.195.69.126
+185.207.106.16
+185.222.222.222
+185.234.52.87
+185.239.86.159
+185.242.177.7
+185.242.177.8
+185.244.195.159
+185.244.27.136
+185.245.97.150
+185.253.111.6
+185.43.135.1
+185.47.221.200
+185.69.161.122
+185.70.9.10
+185.71.138.138
+185.95.218.42
+185.95.218.43
+188.114.96.3
+188.114.96.9
+188.114.97.3
+188.114.97.9
+188.68.50.215
+188.68.57.106
+191.101.18.104
+192.109.42.41
+192.109.42.42
+192.119.93.224
+192.145.47.80
+192.46.232.110
+193.112.107.80
+193.112.16.45
+193.138.214.42
+193.138.214.43
+193.142.58.137
+193.142.58.179
+193.17.47.1
+193.180.80.1
+193.180.80.2
+193.190.182.53
+193.190.198.16
+193.228.1.130
+193.238.153.17
+193.32.87.127
+193.8.172.248
+194.0.5.3
+194.102.181.16
+194.163.165.190
+194.233.65.49
+194.242.2.2
+194.242.2.3
+194.242.2.4
+194.242.2.5
+194.242.2.6
+194.242.2.9
+194.26.213.15
+194.32.107.48
+194.32.107.93
+194.50.19.150
+194.59.156.9
+195.154.112.141
+195.201.131.183
+195.201.21.251
+195.201.39.149
+195.244.44.44
+195.244.44.45
+195.250.245.32
+195.38.160.7
+195.4.132.2
+195.80.119.101
+195.80.119.99
+198.140.141.46
+198.199.103.49
+198.244.189.180
+198.54.117.10
+198.54.117.11
+2001:148f:fffe::1
+2001:148f:ffff::1
+2001:1620:2001::162
+2001:1620:2001::187
+2001:1620:2001::189
+2001:19f0:5:3bd7:5400:4ff:fe05:da83
+2001:19f0:6c01:2f4b:5400:3ff:fed9:e6d6
+2001:19f0:7001:4532:5400:3ff:fe2d:82bb
+2001:19f0:8001:5aa:5400:ff:fe58:db8f
+2001:19f0:9002:de4:5400:4ff:fe08:7de3
+2001:19f0:b001:322:5400:2ff:fe2b:4238
+2001:19f0:b400:1d8c:5400:4ff:fe11:b15a
+2001:300::5
+2001:300::6
+2001:41d0:1004:3919::1
+2001:41d0:304:200::4576
+2001:41d0:404:200::22ac
+2001:41d0:404:200::976
+2001:41d0:601:1100::247c
+2001:41d0:601:1100::5780
+2001:41d0:801:2000::4739
+2001:41d0:8:9a14::1
+2001:41d0:e:84c::1
+2001:470:1f2a:1de::2
+2001:470:28:286:1::
+2001:470:28:287:1::
+2001:470:28:aa2:1::
+2001:470:36:3fc:0:feed:dad:b055
+2001:470:8:169::100
+2001:4860:4860::64
+2001:4860:4860::6464
+2001:4860:4860::8844
+2001:4860:4860::8888
+2001:4b98:dc2:41:216:3eff:fe16:1080
+2001:4b98:dc2:41:216:3eff:fe25:d0f0
+2001:4b98:dc2:41:216:3eff:fece:3e55
+2001:550:5a00:5eb::db5:f001
+2001:620:0:ff::2
+2001:620:0:ff::3
+2001:678:6d4:5080::3dea:109
+2001:678:8::3
+2001:678:84::
+2001:678:e68:f000::
+2001:678:ed0:f000::
+2001:67c:1400:800:53::1
+2001:67c:1400:800:53::2
+2001:67c:1401:2120::1
+2001:67c:18c4:5000::57:519
+2001:67c:18c4:5000::57:919
+2001:67c:2354:2::53
+2001:67c:28a4::
+2001:67c:930::1
+2001:67c:a8:1:91:217:86:4
+2001:6a8:3c80::16
+2001:6a8:3c80:c000::53
+2001:6b0:89::32:32:32
+2001:780:250:100::beaf
+2001:780:250::beaf
+2001:8b0::2022
+2001:8b0::2023
+2001:8d8:820:3a00::b:c47
+2001:910:800::12
+2001:910:800::40
+2001:99a:0:41::1ee4
+2001:a18:1::29
+2001:a60::53:1
+2001:a60::53:2
+2001:b030:1416:ff01::bb
+2001:bc8:255e:100::1
+2001:bc8:255e:200::1
+2001:bc8:3d28:100::4
+2003:180:2::4:0:53
+2003:180:2:b000:0:4:0:53
+2003:4:e0b0:102:0:4:0:53
+2003:a:37f:ef4f::1
+2003:a:b15:4500::1
+202.182.121.233
+202.61.199.183
+202.61.236.67
+202.61.240.61
+203.160.55.187
+203.29.240.52
+203.29.241.76
+204.10.79.38
+204.12.237.197
+204.216.154.80
+205.185.117.191
+206.237.1.183
+207.127.93.3
+207.246.68.103
+207.246.87.96
+209.141.45.27
+212.18.0.5
+212.18.3.5
+213.142.225.9
+213.144.137.162
+213.144.137.187
+213.144.137.189
+213.155.91.68
+213.166.247.100
+213.171.210.111
+213.183.86.9
+213.188.209.115
+213.239.221.173
+213.32.25.25
+2.135.147.99
+213.95.149.187
+216.238.80.219
+217.0.43.146
+217.0.43.50
+217.11.58.196
+217.156.50.25
+217.160.150.14
+217.160.166.161
+217.160.70.42
+217.169.20.22
+217.169.20.23
+217.197.91.153
+217.61.98.63
+220.84.185.202
+223.5.5.5
+223.6.6.6
+23.128.248.2
+23.134.88.71
+23.134.89.23
+23.137.253.24
+23.184.48.19
+23.230.253.98
+23.239.3.190
+23.27.101.191
+23.88.6.31
+23.88.68.113
+23.94.211.166
+23.99.109.92
+2400:3200::1
+2400:3200:baba::1
+2400:4052:3a00:1f00:be24:11ff:fe2b:c18b
+2400:52e0:1e00::1080:1
+2400:6180:0:d0::5f73:4001
+2400:6ea0:0:11ae::adc4
+2400:8902::f03c:92ff:fe80:38b7
+2400:8902::f03c:93ff:feb8:2f31
+2400:8905::f03c:93ff:fe1d:a421
+2400:c401::5054:ff:fe1b:b036
+2401:2500:102:3019:153:126:167:61
+2401:2660:1000:421:904b:e0be:e0d9:5409
+2401:2660:1000:477:132a:45d6:77cf:f7dd
+2401:c080:1000:4ec0:5400:3ff:fe3b:67c5
+2402:d0c0:16:a1e6:0:b893:bf7:dd
+2402:d0c0:18:c8ff:0:b893:bf7:dd
+2402:d0c0:22:6cd0:4:4:4:5b81
+2403:cfc0:1114:10e::a
+2404:9400:214e:ea00::1
+2404:9400:41a9:4800::1
+2404:fbc0:0:11c8::a324
+2406:da1a:1b5:d610:89b3:1adf:c159:a35e
+2407:6ac0:3:5:1234:e34e:72e4:1
+2408:4003:10b8:9ae9:5ef8:7292:9141:6f67
+24.199.70.134
+24.240.146.7
+24.240.146.8
+2.58.53.236
+2600:1901:0:618c::
+2600:1f18:6296:8903::beef
+2600:3c00:e000:37a::8:0
+2600:3c00::f03c:93ff:feca:d2be
+2600:3c01:e000:130::8:0
+2600:3c01:e000:16f::8:0
+2600:3c01:e000:341::8:0
+2600:3c01:e000:3e2::8:0
+2600:3c01:e000:446::8:0
+2600:3c01:e000:449::8:0
+2600:3c01:e000:7e5::8:0
+2600:3c01:e000:8ae::8:0
+2600:3c02:e000:67d::8:0
+2600:3c02::f03c:93ff:fec9:e0ff
+2600:3c0c:e002:4514::
+2600:4c00:80:8::a
+2600:6c7f:f000:202::7
+2600:6c7f:f000:202::8
+2602:fb94:1:39::a
+2602:fba1:100::71:1
+2602:fba1:d00::23:1
+2602:fc05::2
+2602:fc24:18:33f2::ab1
+2602:fc24:19:74b0:5285::12
+2602:fcc0:2222:0:ff24:a2c7:19c:1
+2602:fe54:22:57::5bd:134
+2602:fea7:e0c:e:bff:6:70:194c
+2602:ff75:7:b79::b4b4
+2603:c020:4002:be00:780d:ac99:b43f:299a
+2603:c020:5:3566:beef:beef:beef:beef
+2603:c021:3:677e:cdd9:1114:78c2:efd0
+2603:c021:8002:5c77:1e9f:20d:512e:3fc3
+2603:c021:8002:5c77:6a7c:6bf2:eaa0:b8fd
+2603:c021:c001:31fa:780:b000:0:415
+2603:c021:c005:aa7e:2300:6ff2:13ff:4e6b
+2603:c022:800e:b67e:1011::
+2603:c024:4509:b8aa:420a:4988:30a:5acd
+2604:180:f3::132
+2604:4300:a:6e::5
+2604:4300:f03:c1::2
+2604:6600:fd00:90::1b8b:3a3c
+2604:a840:2::12e
+2604:a880:1:20::16f:f001
+2604:a880:400:d0::923:7001
+2604:a880:800:10::1c1e:1001
+2604:bf00:210:12::2
+2605:6400:20:2258:7acb:91ff:2098:a9
+2605:6400:20:dfa:f54d:c62b:6bc7:3968
+2606:1a40::11
+2606:4700:20::681a:289
+2606:4700:20::681a:389
+2606:4700:20::681a:ea7
+2606:4700:20::681a:fa7
+2606:4700:20::ac43:4595
+2606:4700:20::ac43:4b40
+2606:4700:3030::6815:132a
+2606:4700:3030::6815:2bbc
+2606:4700:3030::ac43:8caf
+2606:4700:3030::ac43:b064
+2606:4700:3030::ac43:ca69
+2606:4700:3030::ac43:d901
+2606:4700:3031::6815:33ae
+2606:4700:3031::6815:3e9e
+2606:4700:3031::6815:4134
+2606:4700:3031::6815:58dd
+2606:4700:3031::6815:fd9
+2606:4700:3031::ac43:8939
+2606:4700:3031::ac43:9d36
+2606:4700:3032::6815:2e53
+2606:4700:3032::ac43:8cab
+2606:4700:3032::ac43:8f9f
+2606:4700:3032::ac43:aafa
+2606:4700:3032::ac43:cb8f
+2606:4700:3032::ac43:d133
+2606:4700:3032::ac43:d16b
+2606:4700:3032::ac43:dbf8
+2606:4700:3033::6815:1732
+2606:4700:3033::6815:1e1
+2606:4700:3033::6815:20a8
+2606:4700:3033::6815:36f7
+2606:4700:3033::6815:3e2d
+2606:4700:3033::6815:4d18
+2606:4700:3033::6815:a35
+2606:4700:3033::ac43:9913
+2606:4700:3033::ac43:c65c
+2606:4700:3034::6815:250f
+2606:4700:3034::6815:2d2b
+2606:4700:3034::6815:32eb
+2606:4700:3034::6815:4602
+2606:4700:3034::ac43:abd3
+2606:4700:3034::ac43:ce94
+2606:4700:3035::6815:2068
+2606:4700:3035::6815:484b
+2606:4700:3035::6815:5e95
+2606:4700:3035::6815:5fbc
+2606:4700:3035::ac43:833d
+2606:4700:3035::ac43:88fd
+2606:4700:3035::ac43:99c3
+2606:4700:3035::ac43:a482
+2606:4700:3035::ac43:b934
+2606:4700:3036::6815:27e8
+2606:4700:3036::6815:36aa
+2606:4700:3036::6815:42d6
+2606:4700:3036::ac43:9866
+2606:4700:3036::ac43:a463
+2606:4700:3036::ac43:a714
+2606:4700:3036::ac43:b735
+2606:4700:3036::ac43:bd8b
+2606:4700:3037::6815:2a9b
+2606:4700:3037::6815:41d5
+2606:4700:3037::6815:491e
+2606:4700:3037::6815:524d
+2606:4700:3037::6815:9c6
+2606:4700:3037::ac43:8912
+2606:4700:3037::ac43:b84c
+2606:4700:3037::ac43:b98d
+2606:4700:3037::ac43:d5d8
+2606:4700:4700::1002
+2606:4700:4700::1003
+2606:4700:4700::1112
+2606:4700:4700::1113
+2606:4700:4700::64
+2606:4700:4700::6400
+2606:4700::6810:f8f9
+2606:4700::6810:f9f9
+2606:4700::6812:1487
+2606:4700::6812:1587
+2606:4700:80:0:2ad4:f1f5:e65b:5cb5
+2606:4700:80:0:4dc6:39e2:fe25:1947
+2606:4700:80:0:71c6:a964:c160:1480
+2606:4700:80:0:e544:736e:8939:512c
+2606:65c0:40:4:5f3:54c4:8d10:9b98
+2606:6680:19:1::4fb4:71a7
+2606:6680:29:1::5859:a37b
+2606:6680:35:1::506d:8ce2
+2606:6680:53:1::846a:bd79
+2606:6680:6:1::3ea9:3ce6
+2606:a8c0:3:202::a
+2606:fc40:4003:f::a
+2607:1e40:1:10a4::19:ca84
+2607:7b00:3004:ffff::a68d:5a2e
+2620:10a:80bb::10
+2620:10a:80bb::20
+2620:10a:80bb::30
+2620:10a:80bc::10
+2620:10a:80bc::20
+2620:10a:80bc::30
+2620:119:fc::2
+2620:119:fc::3
+2620:119:fc::5
+2620:fe::10
+2620:fe::11
+2620:fe::12
+2620:fe::9
+2620:fe::fe
+2620:fe::fe:10
+2620:fe::fe:11
+2620:fe::fe:12
+2803:f800:53::4
+2a00:1828:2000:906::196
+2a00:6a00:ad1:806::83
+2a00:6a00:ad1:806::86
+2a00:c98:2200:af06:5::1
+2a00:da00:1800:8302::1
+2a00:da00:1800:834c::1
+2a00:dca0:100:5:dead:face:beef:babe
+2a01:239:2fd:b700::1
+2a01:4f8:10a:1d8f::2
+2a01:4f8:10b:1e2f::6
+2a01:4f8:13b:3407::face
+2a01:4f8:141:1063:1::3
+2a01:4f8:141:316d::117
+2a01:4f8:151:34aa::198
+2a01:4f8:172:1d2a::2
+2a01:4f8:1c0c:70d1::1
+2a01:4f8:1c0c:8269::2:853
+2a01:4f8:1c0c:8274::1
+2a01:4f8:1c0c:832d::
+2a01:4f8:1c17:8090::1:853
+2a01:4f8:1c1c:8193::1
+2a01:4f8:1c1c:f5e1::1
+2a01:4f8:1c1e:60f4::a7eb:1f5f
+2a01:4f8:200:80ee::1
+2a01:4f8:221:e54::2
+2a01:4f8:241:55eb::2
+2a01:4f8:272:3d5f:1::3
+2a01:4f8:272:5917::baad:c0de
+2a01:4f8:a0:6396:1::3
+2a01:4f8:c010:8396::1
+2a01:4f8:c010:af93::1
+2a01:4f8:c012:ed89::208
+2a01:4f8:c013:5ec0::154
+2a01:4f8:c0c:3a78::
+2a01:4f8:c17:2c61::213
+2a01:4f8:c17:2cbd::2
+2a01:4f8:c17:4fbc::2
+2a01:4f8:c17:ec67::1
+2a01:4f8:c17:f85c::1
+2a01:4f9:2b:1305::2
+2a01:4f9:c010:d7f4::1
+2a01:4f9:c010:e00e::2
+2a01:4f9:c011:addc::1
+2a01:4f9:c01f:74::1
+2a01:678:3:8::2
+2a01:678:3:9::2
+2a01:678:3:a::2
+2a01:7e01::f03c:92ff:fea3:14b0
+2a01:8740:1:40::8a25
+2a01:cb19:8aa2:4ef9:6e2b:59ff:fee8:7a13
+2a02:1b8:10:234::2
+2a02:247a:266:7500::1
+2a02:24d8:71:f194::9
+2a02:24d8:71:f213::86:9
+2a02:27a8:feed::81
+2a02:6ca3:0:1::2
+2a02:6ca3:0:2::2
+2a02:88:1:e:807::101
+2a02:88:1:e:807::99
+2a02:c207:3005:3352::1
+2a03:3b40:fe:26f::1
+2a03:4000:1d:36d::1
+2a03:4000:29:5aa::b182:4444
+2a03:4000:32:16a::1
+2a03:4000:38:20e::853
+2a03:4000:39:7d::
+2a03:4000:42:6c5::1
+2a03:4000:47:8b::1
+2a03:4000:59:de9:202:61:199:183
+2a03:4000:5c:51:24b9:51ff:fe80:f3a7
+2a03:4000:5d:64:1446:62ff:fe9c:f7a4
+2a03:4000:6:d07e::
+2a03:4000:a:71::1
+2a03:94e0:1804::1
+2a03:94e0:271f::5b1
+2a03:94e0:ffff:194:32:107:0:93
+2a03:94e3:222b::1032
+2a03:b0c0:3:d0::2b46:d001
+2a03:c7c0:52:2641:180::13
+2a03:d780:0:196::3e84:56af
+2a04:52c0:101:75::75
+2a04:6f00:4::17a
+2a05:4140:700:e::a
+2a05:5502::5906:97f8:2d0e:1
+2a05:91c0:503:7314::1
+2a05:9406::ae1
+2a05:d018:ef5:3700::d
+2a05:d018:ef5:3701::d
+2a05:f480:2400:1932:5400:5ff:fe12:8046
+2a05:fc84::42
+2a05:fc84::43
+2a06:1c40:3::13
+2a06:98c1:3120::3
+2a06:98c1:3120::9
+2a06:98c1:3121::3
+2a06:98c1:3121::9
+2a06:98c1:52::4
+2a06:a005:2e60:616:64f4:57ff:fed0:220a
+2a06:f902:4001:100:9000:9000:39a4:5feb
+2a06:f902:8001:100::1757:e617
+2a07:a105:c0f:fee::20
+2a07:e340::2
+2a07:e340::3
+2a07:e340::4
+2a07:e340::5
+2a07:e340::6
+2a07:e340::9
+2a09::
+2a09:6382:4000:3:45:155:171:163
+2a09:8280:1::5b:8a28
+2a09:8280:1::6:293
+2a09:b280:fe00:24::a
+2a09:cd43:f:42a1::5
+2a09:cd46:f:429e::5
+2a0a:51c0:0:75::150
+2a0a:51c0::7fe
+2a0a:6040:4050::
+2a0a:6040:973d::a
+2a0a:be80::cbe:4444
+2a0a:be80::cbe:4445
+2a0c:8902::53
+2a0c:8fc1:8004:553::145a:bbf9
+2a0c:8fc3:3:1:2:3:4:5
+2a0c:8fc3:6402::1:984
+2a0c:8fc3:8002::2216
+2a0c:b641:6f4:f::d
+2a0c:b840:2:162:1808:0:1c:9b6c
+2a0d:8140:0:13:2915:af:0:18
+2a0d:f302:110:6517::bb4:214
+2a0e:1d80:21:9cc2::1
+2a0e:1d80:31:8a56:0:b0e:5e:0
+2a0f:5707:aa81:5e3c::1
+2a0f:5707:ab80:334e:2:2:2cd2:a8bc
+2a0f:b505::53
+2a0f:ca81:133b:3cb5::b1b1:641
+2a10:50c0::1:ff
+2a10:50c0::2:ff
+2a10:50c0::ad1:ff
+2a10:50c0::ad2:ff
+2a10:50c0::bad1:ff
+2a10:50c0::bad2:ff
+2a11:7980:2:110::2
+2a11:a380::195:38:160:7
+2a12:1fc0:0:c::3
+2a12:9080:2:32::a
+2a12:e342:200::2:1819
+2a13:9401:0:1::3d58:1
+3.108.130.184
+3.140.31.159
+3.33.242.199
+34.159.232.134
+35.239.47.122
+35.244.235.81
+35.247.39.128
+37.120.183.220
+37.120.187.202
+37.187.24.84
+37.205.14.73
+37.228.132.139
+37.58.48.132
+38.242.157.80
+38.45.64.117
+43.154.154.162
+44.232.93.239
+45.11.230.8
+45.129.181.164
+45.133.118.50
+45.14.115.125
+45.146.7.7
+45.154.109.53
+45.155.171.163
+45.33.105.91
+45.33.60.119
+45.41.204.204
+45.63.127.24
+45.67.84.132
+45.76.113.31
+45.78.49.81
+45.79.102.67
+45.79.104.153
+45.79.17.103
+45.79.208.98
+45.79.33.43
+45.79.94.155
+45.86.125.58
+45.90.59.193
+45.91.93.216
+45.91.93.218
+46.101.110.57
+46.102.156.165
+46.165.252.147
+46.226.108.173
+46.226.109.82
+46.226.110.211
+46.226.143.83
+46.226.143.86
+46.4.112.109
+47.107.121.125
+47.242.16.95
+47.242.67.184
+47.243.233.55
+49.12.222.213
+49.12.223.2
+49.12.43.208
+49.13.95.125
+50.116.59.251
+5.11.11.11
+5.11.11.5
+51.15.37.162
+51.158.147.92
+51.159.67.129
+51.178.82.98
+51.195.150.216
+51.254.25.115
+5.134.118.198
+5.135.183.5
+51.38.131.12
+5.1.66.255
+51.75.246.96
+51.77.149.139
+5.196.74.76
+52.154.75.179
+52.246.182.50
+5.255.103.159
+5.255.111.70
+5.2.72.7
+5.2.75.75
+5.39.88.20
+54.36.101.164
+54.37.41.207
+54.38.55.250
+54.90.232.69
+5.75.228.192
+5.78.102.99
+5.78.98.38
+59.127.175.174
+63.133.223.138
+63.32.212.172
+64.110.86.188
+64.44.177.34
+64.44.177.36
+65.108.54.17
+65.108.87.118
+65.21.253.73
+66.175.223.143
+66.187.7.140
+66.228.61.140
+68.169.150.60
+70.34.252.6
+72.18.215.236
+72.18.215.51
+74.48.72.158
+76.76.2.11
+77.37.65.108
+77.68.88.220
+77.83.241.145
+78.46.244.143
+78.47.163.141
+78.47.227.151
+78.94.217.198
+79.124.77.3
+79.143.240.77
+79.143.240.79
+79.143.240.81
+80.147.149.90
+80.156.145.201
+80.211.133.9
+80.67.169.12
+80.67.169.40
+81.196.104.182
+81.27.162.100
+8.141.10.168
+8.218.192.32
+8.218.33.237
+82.223.100.39
+83.138.55.186
+83.229.70.182
+83.85.23.157
+84.17.52.129
+84.17.52.155
+84.17.52.241
+84.33.14.10
+84.33.15.100
+84.33.244.100
+84.33.245.10
+85.120.84.5
+85.156.167.31
+85.214.111.78
+85.215.66.120
+85.235.65.70
+86.249.251.235
+87.128.10.46
+87.128.111.190
+88.116.200.30
+88.198.122.154
+88.218.206.137
+8.8.4.4
+8.8.8.8
+88.99.192.229
+88.99.93.80
+88.99.98.111
+89.117.2.17
+89.233.105.6
+89.32.32.32
+89.36.162.187
+89.43.174.10
+89.57.45.206
+89.58.3.251
+91.106.132.51
+91.107.198.189
+91.198.156.20
+91.207.154.1
+91.207.155.1
+91.217.86.4
+91.239.100.100
+91.239.27.199
+92.118.190.129
+92.205.21.178
+93.177.64.13
+93.190.126.69
+93.221.58.179
+93.231.21.215
+93.4.84.37
+93.95.115.21
+94.130.135.203
+94.130.150.217
+94.130.179.136
+94.130.32.254
+94.140.14.14
+94.140.14.140
+94.140.14.141
+94.140.14.15
+94.140.15.15
+94.140.15.16
+94.16.117.107
+94.22.239.116
+95.111.236.127
+95.131.202.105
+95.143.196.190
+95.174.68.142
+95.174.68.242
+95.174.68.73
+95.179.161.138
+95.215.19.53
+95.216.99.249
+95.217.25.217
+95.217.6.67
+95.98.38.58
+96.126.98.101
+96.9.213.120
+99.80.192.194
+9.9.9.10
+9.9.9.11
+9.9.9.12
+9.9.9.9
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
index 097e9660..22b3bd10 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
@@ -7,15 +7,71 @@ setup_firewall () {
 	local LOGF="${TMPDIR}/firewall.log"
 	local RET
 	[ "$DISPLAY" = ":0" ] || return 0 # For now, to avoid conflicts, we only do this on display :0
-	slxfwtool "$IMGUUID" > "$LOGF" 2>&1
+	# dnsmasq.conf
+	declare -rg DNSMASQ_CONF="$TMPDIR/dnsmasq.$RANDOM.conf"
+	if ! touch "$DNSMASQ_CONF"; then
+		slxlog "virt-firewall" "Error creating temporary config file for dnsmasq"
+		return 1
+	fi
+	# Get free port
+	local port try
+	port=
+	while [ -z "$port" ]; do
+		try=$(( RANDOM % 40000 + 10000 ))
+		( netstat -tuln || ss -tuln ) | grep -qP ":$port\\s" && continue
+		port="$try"
+	done
+	# Run iptables helper
+	slxfwtool "$IMGUUID" "$DNSMASQ_CONF" "$port" &> "$LOGF"
 	RET=$?
 	if [ "$RET" != "0" ]; then
 		slxlog "virt-firewall" "Error setting up firewall rules for lecture $IMGUUID (Exit code $RET)" "$LOGF"
 		return 1
 	fi
+	# Run dnsmasq if applicable
+	if [ -s "$DNSMASQ_CONF" ]; then
+		cat >> "$DNSMASQ_CONF" <<-DNSCONF
+		keep-in-foreground
+		pid-file=/tmp/dns-$RANDOM.$RANDOM.$RANDOM
+		no-hosts
+		no-resolv
+		port=$port
+		interface=lo
+		bind-interfaces
+		DNSCONF
+		add_cleanup "cleanup_firewall"
+		if ! dnsmasq --test --conf-file "$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then
+			cat "${DNSMASQ_CONF}.tmp" >> "${DNSMASQ_CONF}"
+			rm -f -- "${DNSMASQ_CONF}.tmp"
+			slxlog -s -d "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF"
+			return 1
+		fi
+		# All seems well, launch for real
+		run_dnsmasq_fw "$port"
+		add_cleanup "cleanup_firewall"
+	fi
 	return 0
 }
 
+run_dnsmasq_fw () {
+	(
+	trap 'exit 0' INT TERM
+	trap 'kill "$dnspid"' EXIT
+	while [ -s "$DNSMASQ_CONF" ]; do
+		dnsmasq --conf-file "$DNSMASQ_CONF" &
+		dnspid=$!
+		wait "$dnspid"
+	done
+	) &
+	declare -rg DNSMASQ_PID=$!
+}
+
+cleanup_firewall () {
+	rm -f -- "$DNSMASQ_CONF"
+	kill "$DNSMASQ_PID"
+	writelog "Killed dnsmasq"
+}
+
 ## MAIN ##
 # Sanity checks
 if check_dep slxfwtool; then
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
index 9668c1b1..95776c81 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
@@ -8,8 +8,11 @@ RULES="$( mktemp )"
 AUTORULES="$( mktemp )"
 REMOTERULES="$( mktemp )"
 LOGFILE="$( mktemp )"
+DNSCFG="$2" # optional, write dnsmasq config here if applicable
+DNSPORT="$3" # required if $2 given
+[ -z "$DNSPORT" ] && DNSCFG=
 
-readonly RULES AUTORULES REMOTERULES LOGFILE
+readonly RULES AUTORULES REMOTERULES LOGFILE DNSCFG DNSPORT
 
 [ -n "$RULES" ] || exit 2
 
@@ -22,7 +25,10 @@ trap 'rm -f -- "$RULES" "$AUTORULES" "$REMOTERULES" "$LOGFILE"' EXIT
 
 . /opt/openslx/config
 
+declare -rg DNS_IPT_FILE="/opt/openslx/iptables/rules.d/00-dnsblock"
+
 # Create/reset all our chains
+rm -f -- "$DNS_IPT_FILE"
 if ! (
 	set -e
 	for TOOL in iptables ip6tables; do
@@ -87,8 +93,11 @@ add_ips () {
 	done
 }
 
+# get all DNS servers in use
+dnslist="$( ( echo "$SLX_DNS"; awk '$1 == "nameserver" {print $2}' /etc/resolv.conf ) | sort -u )"
+
 # Auto-allow important servers from config
-add_ips "OUT" "$SLX_DNS" 53 "ACCEPT"
+add_ips "OUT" "$dnslist" 53 "ACCEPT"
 add_ips "OUT" "$SLX_DNBD3_SERVERS" 5003 "ACCEPT"
 add_ips "OUT" "$SLX_DNBD3_FALLBACK" 5003 "ACCEPT"
 add_ips "OUT" "$SLX_KCL_SERVERS $SLX_PXE_SERVER_IP" 0 "ACCEPT"
@@ -148,12 +157,19 @@ fi
 # Download OK, append to rules
 cat "${REMOTERULES}" >> "${RULES}"
 
+# Determine if we have dnsmasq as we need to know this while setting up iptables rules
+dnsmasq=
+if [ -n "$DNSCFG" ] && [ -f "$DNSCFG" ] && [ -n "$dnslist" ]; then
+	dnsmasq="$( which dnsmasq || command -v dnsmasq )"
+fi
+declare -rg ILLEGAL_DNS='[?@:*/ ]'
 declare -rg V4='^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.?\b){4}(/[0-9]+)?$'
 # https://stackoverflow.com/a/17871737
 declare -rg V6='^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(/[0-9]+)?$'
 
 if ! (
 	declare -a IPLINE1 IPLINE2 IPLINE2with
+	blockall=
 	while read -r DIR DEST PORT ACTION _ || [ -n "$DIR" ]; do
 		if [[ -z "$DEST" || -z "$PORT" || -z "$ACTION" ]]; then
 			# Should this be a hard error?
@@ -186,9 +202,41 @@ if ! (
 		IPLINE2+=( "-j" "$ACTION" )
 		IPLINE2with=( "${IPLINE2[@]}" )
 		[ "$ACTION" = "REJECT" ] && IPLINE2with+=( "--reject-with" "tcp-reset" )
-		# IPv6?
-		if ! [[ $DEST =~ $V4 ]]; then
-			# NOT v4 style, so it's v6 or DNS
+		both=
+		# See if it's a hostname potentially
+		if ! [[ $DEST =~ $V6 || $DEST =~ $V4 ]]; then
+			if [ "$DIR" != OUT ] || [ -z "$dnsmasq" ] || [ "$PORT" != 0 ]; then
+				both=1 # Not outgoing, dnsmasq not found, or specific port - cannot do on DNS level
+			elif [[ $DEST =~ $ILLEGAL_DNS ]] && [ "$DEST" != '*' ]; then
+				both=1 # Not a legal hostname and not wildcard (default rule)
+			else
+				# Can do via DNS :-)
+				if [ "$ACTION" != "ACCEPT" ]; then
+					# BLOCK
+					if [ "$DEST" = "*" ]; then
+						# Special case: '*' - default rule, so BLOCK -> no default servers
+						[ -z "$blockall" ] && blockall=1
+					else
+						# A host - map to 0.0.0.0
+						for dnsip in $dnslist; do
+							echo "address=/$DEST/"
+						done >> "$DNSCFG"
+					fi
+				else
+					# ACCEPT
+					if [ "$DEST" = "*" ]; then
+						# Special case: '*' - degault rule, so ACCEPT -> default servers
+						[ -z "$blockall" ] && blockall=0
+					else
+						# specifically map to out DNS servers
+						for dnsip in $dnslist; do
+							echo "server=/$DEST/$dnsip"
+						done >> "$DNSCFG"
+					fi
+				fi
+			fi
+		fi
+		if [ -n "$both" ] || [[ $DEST =~ $V6 ]]; then # IPv6?
 			if [ "$PORT" = 0 ]; then
 				[ "$ACTION" = "REJECT" ] && ip6tables "${IPLINE1[@]}" -p tcp "${IPLINE2with[@]}"
 				ip6tables "${IPLINE1[@]}" "${IPLINE2[@]}"
@@ -197,9 +245,7 @@ if ! (
 				ip6tables "${IPLINE1[@]}" -p udp "${IPLINE2[@]}"
 			fi
 		fi
-		# IPv4
-		if ! [[ $DEST =~ $V6 ]]; then
-			# NOT v6 style, so it's v4 or DNS
+		if [ -n "$both" ] || [[ $DEST =~ $V4 ]]; then # IPv4
 			if [ "$PORT" = 0 ]; then
 				[ "$ACTION" = "REJECT" ] && iptables "${IPLINE1[@]}" -p tcp "${IPLINE2with[@]}"
 				iptables "${IPLINE1[@]}" "${IPLINE2[@]}"
@@ -207,8 +253,44 @@ if ! (
 				iptables "${IPLINE1[@]}" -p tcp "${IPLINE2with[@]}"
 				iptables "${IPLINE1[@]}" -p udp "${IPLINE2[@]}"
 			fi
+		else
 		fi
 	done < "$RULES"
+	if [ -s "$DNSCFG" ]; then
+		# Try to disable DoH
+		echo "address=/use-application-dns.net/" >> "$DNSCFG" # firefox
+		# Block known servers from https://github.com/curl/curl/wiki/DNS-over-HTTPS
+		# Copy table only, run
+		# grep -oP '(?<=https://)\S+(?=/)' /tmp/doh.html | sort -u
+		# to get list, then translate to IP addresses:
+		# for ...; do host "$i" | grep -oP '(?<= address ).*' | sort -u
+		# (then check for invalid/private addresses)
+		for DEST in $( cat /opt/openslx/vmchooser/data/doh-servers ); do
+			if [[ $DEST =~ $V6 ]]; then
+				ip6tables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+					-j REJECT --reject-with tcp-reset
+			else
+				iptables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+					-j REJECT --reject-with tcp-reset
+			fi
+		done
+		# Handle dns default rule
+		if [ "$blockall" = 1 ]; then
+			echo "address=/#/" >> "$DNSCFG"
+		else
+			for dnsip in $dnslist; do
+				echo "server=$dnsip"
+			done >> "$DNSCFG"
+		fi
+		# Redirect UDP:53 to dnsmasq on whatever port
+		# physdev /sys/class/net/br0/brif/
+		cat "$DNS_IPT_FILE" <<-EOF
+		iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
+		iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
+		ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
+		ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
+		EOF
+	fi
 ); then
 	echo "Setting up one or more firewall rules via iptables failed."
 	exit 8
diff --git a/core/modules/run-virt/module.conf b/core/modules/run-virt/module.conf
index b6de1789..c3a5f2b9 100644
--- a/core/modules/run-virt/module.conf
+++ b/core/modules/run-virt/module.conf
@@ -3,6 +3,7 @@ REQUIRED_MODULES="
 	iptables
 "
 REQUIRED_BINARIES="
+	dnsmasq
 	lsusb
 	mcopy
 	pwdaemon
diff --git a/core/modules/run-virt/module.conf.debian b/core/modules/run-virt/module.conf.debian
index 865abfe9..30b2d9c6 100644
--- a/core/modules/run-virt/module.conf.debian
+++ b/core/modules/run-virt/module.conf.debian
@@ -5,6 +5,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	xmlstarlet
 "
 REQUIRED_CONTENT_PACKAGES="
+	dnsmasq
 	usbutils
 	mtools
 	xmlstarlet
diff --git a/core/modules/run-virt/module.conf.ubuntu b/core/modules/run-virt/module.conf.ubuntu
index 865abfe9..30b2d9c6 100644
--- a/core/modules/run-virt/module.conf.ubuntu
+++ b/core/modules/run-virt/module.conf.ubuntu
@@ -5,6 +5,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	xmlstarlet
 "
 REQUIRED_CONTENT_PACKAGES="
+	dnsmasq
 	usbutils
 	mtools
 	xmlstarlet
-- 
cgit v1.2.3-55-g7522