[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH
John Todd
jtodd at quad9.net
Thu May 23 16:08:08 UTC 2019
On 16 May 2019, at 12:47, m3047 wrote:
> In my opinion practical cybersecurity has been stagnant for a while (I
> can speculate why as well as anyone). Seems to me the obvious response
> is that netflow analysis makes it to the firewall:
>
> Don't allow connections/traffic from an endpoint to any address unless
> a corresponding DNS response has been sent to that endpoint containing
> the address.
>
> I can do this today if I want, from my dirt road off the internet. I
> can get the DNS information with DNSTap and update IPTables
> accordingly. Any gaps in the technology or scalability can be
> iterated. Seems like a good complement to technologies such as
> fail2ban. Doesn't seem particularly earthshaking. I wouldn't be
> surprised to learn there's a project out there offering this; if
> there's not, let me know if you start one.
>
> --
>
> Fred Morris
We had started a pfSense module for proof of concept to do just this -
no connections without seeing A/AAAA from upstream resolver. It was a
paid project, and it didn’t quite get off the ground. Here’s the
rough description:
https://forum.netgate.com/topic/116894/dns-validation-firewall-ruleset-10000
The project was started, was delayed, and due to time evaporation the
code which was delivered as-written was not tested (probably with many
bugs.) If anyone wants to pick it up, I’m happy to check it in to
github and let people start to do something useful with it; the intent
was to open-source it. No time here to work on interesting side projects
like this.
Since pfSense has a DNS forwarder as well as firewall, it was the ideal
starter platform for this kind of test. I’m interested in how much
stuff breaks that doesn’t use DNS at all.
To answer some other questions: it delays DNS replies until pf rules are
installed. It has client, domain, ip whitelists. It has two modes:
strict and loose - strict means anyone who receives the A/AAAA record
creates a rule for just themselves; loose means the open filter rule
gets applied for all LAN addresses.
JT
More information about the dns-operations
mailing list