Skip to content

analyzer: Add CleanBrowsing Detector. Closes #1784#3254

Merged
mlodic merged 5 commits intointelowlproject:developfrom
gqvz:cleanbrowsing_dns_detector
Feb 3, 2026
Merged

analyzer: Add CleanBrowsing Detector. Closes #1784#3254
mlodic merged 5 commits intointelowlproject:developfrom
gqvz:cleanbrowsing_dns_detector

Conversation

@gqvz
Copy link
Contributor

@gqvz gqvz commented Feb 1, 2026
edited
Loading

Description

Add CleanBrowsing DNS Detector

Closes #1784

Type of change

  • New feature (non-breaking change which adds functionality).

Analyzer Output

{
  "report": {
    "malicious": true,
    "observable": "rnicrosoft[dot]com"
  },
  "data_model": null,
  "errors": [],
  "parameters": {}
}
image

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
    • Advanced-Usage does not need updating (no optional configuration)
    • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • No file analyzer was added
    • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
    • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
    • If a new analyzer has been added, I have created a unittest for it in the appropriate dir. I have also mocked all the external calls, so that no real calls are being made while testing.
    • I have added that raw JSON sample to the get_mocker_response() method of the unittest class. This serves us to provide a valid sample for testing.
    • I have created the corresponding DataModel for the new analyzer following the documentation
  • I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
  • Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
  • No external libraries/packages were added.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    ^ i'll be doing this (again)
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • No GUI edits were made
  • After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

@gqvz
Copy link
Contributor Author

gqvz commented Feb 1, 2026
edited
Loading

Two questions I have before this can be merged:
1.

I have added that raw JSON sample to the get_mocker_response() method of the unittest class. This serves us to provide a valid sample for testing

What JSON output should I put there, since the cleanbrowsing api responds with binary data
2.

I have created the corresponding DataModel for the new analyzer following the documentation

Is there a datamodel required? I tried to do exactly what the Cloudflare Malicious detector analyzer does and couldnt find any data model for that, but I just wanted to confirm

@gqvz gqvz mentioned this pull request Feb 2, 2026
Merged
4 tasks
@gqvz gqvz force-pushed the cleanbrowsing_dns_detector branch from 3c1977a to a4bc2ab Compare February 2, 2026 03:41
@gqvz gqvz marked this pull request as ready for review February 2, 2026 04:02
Copilot AI review requested due to automatic review settings February 2, 2026 04:02
@gqvz
Copy link
Contributor Author

gqvz commented Feb 2, 2026

Doc update: intelowlproject/docs#49

Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds a new CleanBrowsing DNS malicious detector analyzer that checks if domains are reported as malicious by querying CleanBrowsing's DNS-over-HTTPS security filter endpoint. The implementation follows the established pattern of other DNS malicious detectors in the codebase (e.g., Cloudflare, DNS4EU) and uses POST requests to send DNS queries in wire format.

Changes:

  • Added CleanBrowsingMaliciousDetector analyzer that detects blocked domains by checking for CleanBrowsing-specific SOA records in DNS authority sections
  • Created comprehensive unit tests with proper DNS response mocking
  • Added analyzer configuration migration and playbook integration for FREE_TO_USE_ANALYZERS and Dns playbooks

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
api_app/analyzers_manager/observable_analyzers/dns/dns_malicious_detectors/cleanbrowsing_malicious_detector.py Main analyzer implementation using DoH POST method to query CleanBrowsing security filter
tests/api_app/analyzers_manager/unit_tests/observable_analyzers/test_cleanbrowsing_malicious_detector.py Unit test with mocked DNS response including NXDOMAIN and SOA records
api_app/analyzers_manager/migrations/0175_analyzer_config_cleanbrowsing_malicious_detector.py Django migration to add analyzer configuration to database
api_app/playbooks_manager/migrations/0062_add_cleanbrowsing_to_free_to_use.py Django migration to add analyzer to FREE_TO_USE_ANALYZERS and Dns playbooks
tests/api_app/playbooks_manager/test_views.py Updated playbook test to include new analyzer in expected list

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gqvz gqvz mentioned this pull request Feb 2, 2026
Closed
@mlodic
Update api_app/analyzers_manager/observable_analyzers/dns/dns_malicio…
640c40d 
…us_detectors/cleanbrowsing_malicious_detector.py

Co-authored-by: Copilot <[email protected]>
Copilot AI review requested due to automatic review settings February 2, 2026 13:40
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@mlodic
Update api_app/analyzers_manager/observable_analyzers/dns/dns_malicio…
69f1425 
…us_detectors/cleanbrowsing_malicious_detector.py

Co-authored-by: Copilot <[email protected]>
Copilot AI review requested due to automatic review settings February 2, 2026 13:44
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

mlodic
mlodic requested changes Feb 2, 2026
View reviewed changes
Copy link
Member

@mlodic mlodic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good job, just minors

@mlodic
Copy link
Member

mlodic commented Feb 2, 2026

about your questions, you are fine, just please re-run the analyzer after the requested changes and show the visualizer result

@gqvz gqvz requested a review from mlodic February 2, 2026 15:36
@gqvz
Copy link
Contributor Author

gqvz commented Feb 3, 2026

Is there anything else? Can I start working on other issues?

@mlodic mlodic merged commit 1937fb2 into intelowlproject:develop Feb 3, 2026
9 checks passed
@mlodic
Copy link
Member

mlodic commented Feb 3, 2026

yep sure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mlodic mlodic Awaiting requested review from mlodic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gqvz @mlodic