On Mon, Mar 22, 2021 at 03:19:00AM +0000, dnsmasqlist2...@rscubed.com wrote: > > Hi, > > I am trying to do some CNAME filtering but it is not working for me... > > I'm picking a random domain that has cascading CNAMEs I am going to try to > filter for an example here. > > /etc/hosts > 127.0.0.1 blackhole.inv > > For my DNSMasq config I add (some of this may be redundant) the lines below > to kill dnsdelegation.io as an example : > > cname=*.dnsdelegation.io,blackhole.inv > cname=dnsdelegation.io,blackhole.inv > local=/.dnsdelegation.io/ > > In theory one of the above should set dnsdelegation.io to 127.0.0.1 > > a domain with cascading CNAMEs : > > jwxbwt.theaffordableartcompany.com.au > > --- > > When I do host I get : > > $ host jwxbwt.theaffordableartcompany.com.au > jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io. > dnsdelegation.io is an alias for gum.criteo.com. > gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com. > gum.va1.vip.prod.criteo.com has address 74.119.119.139 > > --- > > In DNSMasq Logs I see : > > 1 - 192.168.1.3 == DNSMasq request > 2 - 192.168.1.7 == forwarded to Upstream DNS > 3 - Returned reponse containing 4 Replies in one DNS packet > > 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] > jwxbwt.theaffordableartcompany.com.au from 192.168.1.3 > 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded > jwxbwt.theaffordableartcompany.com.au to 192.168.1.7 > 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply > jwxbwt.theaffordableartcompany.com.au is <CNAME> > dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME> > dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME> > dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is > 74.119.119.139 > > --- > > TCPDump shows upstream DNS returns all replies in 3 above in a single packet > > IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? > jwxbwt.theaffordableartcompany.com.au. (55) > IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME > gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160) > > --- > > It looks like the filtering is being bypassed because multiple replies are > all within a response from the upstream server so dnsdelegation.io is not > seen and filtered ??? > > Do I need to do something to get DNSMasq to apply the filters to the > responses from the upstream to filter them or is this not currently possible > ? > > I expect if regular companies are doing what we see above the next > generation of malicious domains will be using this technique also so we want > to get the jump on them and have methods to defend against them in place. > > thanks > > Matt >
I wonder if option -h, --no-hosts Don't read the hostnames in /etc/hosts. is maybe active. And the > cname=*.dnsdelegation.io,blackhole.inv > cname=dnsdelegation.io,blackhole.inv > local=/.dnsdelegation.io/ looks odd. Expiriment with removing the `local=` line. Karma points for reporting back. Groeten Geert Stappers P.S. I would have "CNAME filtering" named "CNAME intercepting" -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss