[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

John Todd jtodd at quad9.net
Thu May 23 16:08:08 UTC 2019 

On 16 May 2019, at 12:47, m3047 wrote:

> In my opinion practical cybersecurity has been stagnant for a while (I 
> can speculate why as well as anyone). Seems to me the obvious response 
> is that netflow analysis makes it to the firewall:
>
> Don't allow connections/traffic from an endpoint to any address unless 
> a corresponding DNS response has been sent to that endpoint containing 
> the address.
>
> I can do this today if I want, from my dirt road off the internet. I 
> can get the DNS information with DNSTap and update IPTables 
> accordingly. Any gaps in the technology or scalability can be 
> iterated. Seems like a good complement to technologies such as 
> fail2ban. Doesn't seem particularly earthshaking. I wouldn't be 
> surprised to learn there's a project out there offering this; if 
> there's not, let me know if you start one.
>
> --
>
> Fred Morris


We had started a pfSense module for proof of concept to do just this - 
no connections without seeing A/AAAA from upstream resolver. It  was a 
paid project, and it didn’t quite get off the ground. Here’s the 
rough description:

https://forum.netgate.com/topic/116894/dns-validation-firewall-ruleset-10000

The project was started, was delayed, and due to time evaporation the 
code which was delivered as-written was not tested (probably with many 
bugs.)  If anyone wants to pick it up, I’m happy to check it in to 
github and let people start to do something useful with it; the intent 
was to open-source it. No time here to work on interesting side projects 
like this.

Since pfSense has a DNS forwarder as well as firewall, it was the ideal 
starter platform for this kind of test. I’m interested in how much 
stuff breaks that doesn’t use DNS at all.

To answer some other questions: it delays DNS replies until pf rules are 
installed. It has client, domain, ip whitelists. It has two modes: 
strict and loose - strict means anyone who receives the A/AAAA record 
creates a rule for just themselves; loose means the open filter rule 
gets applied for all LAN addresses.

JT

More information about the dns-operations mailing list