hi Bortzmeyer, there are still some issues with >Any 50 US $ OpenWRT router can do it (iptables accepts domain names).
>% sudo iptables -A OUTPUT -d www.example.com -j DROP >% sudo iptables -n -v -L OUTPUT >Chain OUTPUT (policy ACCEPT 184 packets, 22306 bytes) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 93.184.216.34 First these rules are still bypassed by the client. Below I have two commands ping and the dig. with the ping command the IP address is different, while when the dig command is passed for the domain facebook.com the answer is a different IP address. . ****@ubuntu:~$ ping facebook.com PING facebook.com (157.240.1.35) 56(84) bytes of data. 64 bytes from edge-star-mini-shv-01-lht6.facebook.com (157.240.1.35): icmp_seq=1 ttl=50 time=148 ms 64 bytes from edge-star-mini-shv-01-lht6.facebook.com (157.240.1.35): icmp_seq=2 ttl=50 time=149 ms 64 bytes from edge-star-mini-shv-01-lht6.facebook.com (157.240.1.35): icmp_seq=3 ttl=50 time=148 ms ^C --- facebook.com ping statistics --- 11 packets transmitted, 11 received, 0% packet loss, time 10010ms rtt min/avg/max/mdev = 148.903/148.997/149.096/0.372 ms [The dig command] ****@ubuntu:~$ dig facebook.com A ; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> facebook.com A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62852 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;facebook.com. IN A ;; ANSWER SECTION: facebook.com. 212 IN A 185.60.216.35 ;; Query time: 41 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Thu Dec 21 11:28:46 PST 2017 ;; MSG SIZE rcvd: 57 Also, even if all this is keep aside for the time being, what about all those IP addresses or IPv6 addresses that are configured on any of the network security component such as firewall in my usecase? One still need to resolve the corresponding IP address if rules are based on IPv6 address or IPv6 address if rules are based on IP address. On Thu, Dec 21, 2017 at 9:29 PM, Stephane Bortzmeyer <[email protected]> wrote: > On Tue, Dec 19, 2017 at 02:58:57PM +0500, > Tariq Saraj <[email protected]> wrote > a message of 1158 lines which said: > > > using a firewall based on domain names can be simply bypassed by > > accessing websites through IP address. > > No, no, this is absolutely not what I was talking about. Instead, I > referred to: > > > Second, there are some firewalls such as Cisco and Kaspersky that handle > > this situation when someone configure a firewall rule based on domain > name, > > it automatically resolves the IPv4 and IPv6 addresses for that domain and > > update the firewall rules so that it cannot be bypassed through > accessing a > > server through IP based. > > Exactly. > > > But, these are highly expensive firewalls and normally not > > affordable for every organization. > > Any 50 US $ OpenWRT router can do it (iptables accepts domain names). > > % sudo iptables -A OUTPUT -d www.example.com -j DROP > > % sudo iptables -n -v -L OUTPUT > Chain OUTPUT (policy ACCEPT 184 packets, 22306 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 0.0.0.0/0 > 93.184.216.34 > -- Regards Tariq Saraj Riphah Institute of Systems Engineering, Islamabad
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
