Hi,
I am trying to do some CNAME filtering but it is not working for me...
I'm picking a random domain that has cascading CNAMEs I am going to try to
filter for an example here.
/etc/hosts
127.0.0.1 blackhole.inv
For my DNSMasq config I add (some of this may be redundant) the lines below to
kill dnsdelegation.io as an example :
cname=*.dnsdelegation.io,blackhole.inv
cname=dnsdelegation.io,blackhole.inv
local=/.dnsdelegation.io/
In theory one of the above should set dnsdelegation.io to 127.0.0.1
a domain with cascading CNAMEs :
jwxbwt.theaffordableartcompany.com.au
---
When I do host I get :
$ host jwxbwt.theaffordableartcompany.com.au
jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io.
dnsdelegation.io is an alias for gum.criteo.com.
gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com.
gum.va1.vip.prod.criteo.com has address 74.119.119.139
---
In DNSMasq Logs I see :
1 - 192.168.1.3 == DNSMasq request
2 - 192.168.1.7 == forwarded to Upstream DNS
3 - Returned reponse containing 4 Replies in one DNS packet
1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A]
jwxbwt.theaffordableartcompany.com.au from 192.168.1.3
2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded
jwxbwt.theaffordableartcompany.com.au to 192.168.1.7
3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au
is <CNAME>
dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME>
dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME>
dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is
74.119.119.139
---
TCPDump shows upstream DNS returns all replies in 3 above in a single packet
IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A?
jwxbwt.theaffordableartcompany.com.au. (55)
IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME
gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160)
---
It looks like the filtering is being bypassed because multiple replies are all
within a response from the upstream server so dnsdelegation.io is not seen and
filtered ???
Do I need to do something to get DNSMasq to apply the filters to the responses
from the upstream to filter them or is this not currently possible ?
I expect if regular companies are doing what we see above the next generation of
malicious domains will be using this technique also so we want to get the jump
on them and have methods to defend against them in place.
thanks
Matt
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss