Re: [Dnsmasq-discuss] CNAME filtering
On Mon, 22 Mar 2021, Dominick C. Pastore wrote: On Mon, Mar 22, 2021, at 2:07 PM, dnsmasqlist2...@rscubed.com wrote: On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote: On Mon, Mar 22, 2021 at 03:19:00AM +, dnsmasqlist2...@rscubed.com wrote: Hi, I am trying to do some CNAME filtering but it is not working for me... I'm picking a random domain that has cascading CNAMEs I am going to try to filter for an example here. /etc/hosts 127.0.0.1 blackhole.inv For my DNSMasq config I add (some of this may be redundant) the lines below to kill dnsdelegation.io as an example : cname=*.dnsdelegation.io,blackhole.inv cname=dnsdelegation.io,blackhole.inv local=/.dnsdelegation.io/ In theory one of the above should set dnsdelegation.io to 127.0.0.1 a domain with cascading CNAMEs : jwxbwt.theaffordableartcompany.com.au --- When I do host I get : $ host jwxbwt.theaffordableartcompany.com.au jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io. dnsdelegation.io is an alias for gum.criteo.com. gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com. gum.va1.vip.prod.criteo.com has address 74.119.119.139 --- In DNSMasq Logs I see : 1 - 192.168.1.3 == DNSMasq request 2 - 192.168.1.7 == forwarded to Upstream DNS 3 - Returned reponse containing 4 Replies in one DNS packet 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139 --- TCPDump shows upstream DNS returns all replies in 3 above in a single packet IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55) IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160) --- It looks like the filtering is being bypassed because multiple replies are all within a response from the upstream server so dnsdelegation.io is not seen and filtered ??? Do I need to do something to get DNSMasq to apply the filters to the responses from the upstream to filter them or is this not currently possible ? I expect if regular companies are doing what we see above the next generation of malicious domains will be using this technique also so we want to get the jump on them and have methods to defend against them in place. thanks Matt I wonder if option -h, --no-hosts Don't read the hostnames in /etc/hosts. is maybe active. And the cname=*.dnsdelegation.io,blackhole.inv cname=dnsdelegation.io,blackhole.inv local=/.dnsdelegation.io/ looks odd. Expiriment with removing the `local=` line. Karma points for reporting back. Groeten Geert Stappers P.S. I would have "CNAME filtering" named "CNAME intercepting" -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss If I use www.bestbuy.com as an example I see 8683 192.168.1.3/34112 query[] www.bestbuy.com from 192.168.1.3 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7 8682 192.168.1.3/34112 reply www.bestbuy.com is 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179 the cname wildcard was added in version 2.77 according to changelog If I add a wildcard cname I see no change in response it still resolves : cname=*.bestbuy.com,blackhole.inv If I use the direct name www.bestbuy.com cname=www.bestbuy.com,blackhole.inv then it works and I get : $ host www.bestbuy.com www.bestbuy.com is an alias for blackhole.inv. blackhole.inv has address 127.0.0.1 But for this example what I want is to make this replied cname www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired wildcard version or the full name work. www.bestbuy.com still resolves. Tried these variations of what is in the replies to www.bestbuy.com cname=*.edgekey.net,blackhole.inv cname=www.bestbuy.com.edgekey.net,blackhole.inv cname=e5816.x.akamaiedge.net,blackhole.inv cname=*.akamaiedge.net,blackhole.inv I also tried adding edgekey.net to /etc/hosts and doing cname=*.edgekey.net,edgekey.net But this also had not affect on www.bestbuy.com resolving/ I'm guessing because these are all in replies that are not looked at ??? Matt Ah, so this is similar to a question I had some time ago. In your first email, you asked: It looks like the filtering is being bypassed because multiple replies are all within a response from
Re: [Dnsmasq-discuss] CNAME filtering
On Mon, Mar 22, 2021 at 06:07:27PM +, dnsmasqlist2...@rscubed.com wrote: > On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote: > > On Mon, Mar 22, 2021 at 03:19:00AM +, dnsmasqlist2...@rscubed.com wrote: > > > > > > I am trying to do some CNAME filtering but it is not working for me... > > > > > > > I wonder if option > > > > -h, --no-hosts > > Don't read the hostnames in /etc/hosts. > > > > > > is maybe active. > > > > > > And the > > > cname=*.dnsdelegation.io,blackhole.inv > > > cname=dnsdelegation.io,blackhole.inv > > > local=/.dnsdelegation.io/ > > looks odd. Expiriment with removing the `local=` line. > > > > > > If I use www.bestbuy.com as an example I see > > 8683 192.168.1.3/34112 query[] www.bestbuy.com from 192.168.1.3 > 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7 > 8682 192.168.1.3/34112 reply www.bestbuy.com is > 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is > 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179 > > the cname wildcard was added in version 2.77 according to changelog > If I add a wildcard cname I see no change in response it still resolves : > > cname=*.bestbuy.com,blackhole.inv > > If I use the direct name www.bestbuy.com > > cname=www.bestbuy.com,blackhole.inv > > then it works and I get : > $ host www.bestbuy.com > www.bestbuy.com is an alias for blackhole.inv. > blackhole.inv has address 127.0.0.1 > > But for this example what I want is to make this replied cname > www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired > wildcard version or the full name work. www.bestbuy.com still resolves. > > Tried these variations of what is in the replies to www.bestbuy.com > > cname=*.edgekey.net,blackhole.inv > > cname=www.bestbuy.com.edgekey.net,blackhole.inv > > cname=e5816.x.akamaiedge.net,blackhole.inv > > cname=*.akamaiedge.net,blackhole.inv > > I also tried adding edgekey.net to /etc/hosts and doing > cname=*.edgekey.net,edgekey.net > But this also had not affect on www.bestbuy.com resolving/ > > I'm guessing because these are all in replies that are not looked at ??? > I'm guessing that previous response has been missed. Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CNAME filtering
On Mon, Mar 22, 2021, at 2:07 PM, dnsmasqlist2...@rscubed.com wrote: > > On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote: > > > On Mon, Mar 22, 2021 at 03:19:00AM +, dnsmasqlist2...@rscubed.com wrote: > >> > >> Hi, > >> > >> I am trying to do some CNAME filtering but it is not working for me... > >> > >> I'm picking a random domain that has cascading CNAMEs I am going to try to > >> filter for an example here. > >> > >> /etc/hosts > >> 127.0.0.1 blackhole.inv > >> > >> For my DNSMasq config I add (some of this may be redundant) the lines below > >> to kill dnsdelegation.io as an example : > >> > >> cname=*.dnsdelegation.io,blackhole.inv > >> cname=dnsdelegation.io,blackhole.inv > >> local=/.dnsdelegation.io/ > >> > >> In theory one of the above should set dnsdelegation.io to 127.0.0.1 > >> > >> a domain with cascading CNAMEs : > >> > >> jwxbwt.theaffordableartcompany.com.au > >> > >> --- > >> > >> When I do host I get : > >> > >> $ host jwxbwt.theaffordableartcompany.com.au > >> jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io. > >> dnsdelegation.io is an alias for gum.criteo.com. > >> gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com. > >> gum.va1.vip.prod.criteo.com has address 74.119.119.139 > >> > >> --- > >> > >> In DNSMasq Logs I see : > >> > >> 1 - 192.168.1.3 == DNSMasq request > >> 2 - 192.168.1.7 == forwarded to Upstream DNS > >> 3 - Returned reponse containing 4 Replies in one DNS packet > >> > >> 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] > >> jwxbwt.theaffordableartcompany.com.au from 192.168.1.3 > >> 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded > >> jwxbwt.theaffordableartcompany.com.au to 192.168.1.7 > >> 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply > >> jwxbwt.theaffordableartcompany.com.au is > >> dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is > >> dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is > >> dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com > >> is 74.119.119.139 > >> > >> --- > >> > >> TCPDump shows upstream DNS returns all replies in 3 above in a single > >> packet > >> > >> IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? > >> jwxbwt.theaffordableartcompany.com.au. (55) > >> IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., > >> CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A > >> 74.119.119.139 (160) > >> > >> --- > >> > >> It looks like the filtering is being bypassed because multiple replies are > >> all within a response from the upstream server so dnsdelegation.io is not > >> seen and filtered ??? > >> > >> Do I need to do something to get DNSMasq to apply the filters to the > >> responses from the upstream to filter them or is this not currently > >> possible > >> ? > >> > >> I expect if regular companies are doing what we see above the next > >> generation of malicious domains will be using this technique also so we > >> want > >> to get the jump on them and have methods to defend against them in place. > >> > >> thanks > >> > >> Matt > >> > > > > I wonder if option > > > > -h, --no-hosts > > Don't read the hostnames in /etc/hosts. > > > > > > is maybe active. > > > > > > And the > >> cname=*.dnsdelegation.io,blackhole.inv > >> cname=dnsdelegation.io,blackhole.inv > >> local=/.dnsdelegation.io/ > > looks odd. Expiriment with removing the `local=` line. > > > > > > Karma points for reporting back. > > > > > > Groeten > > Geert Stappers > > > > > > P.S. > > I would have "CNAME filtering" named "CNAME intercepting" > > -- > > Silence is hard to parse > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > If I use www.bestbuy.com as an example I see > > 8683 192.168.1.3/34112 query[] www.bestbuy.com from 192.168.1.3 > 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7 > 8682 192.168.1.3/34112 reply www.bestbuy.com is > 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is > 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179 > > the cname wildcard was added in version 2.77 according to changelog > If I add a wildcard cname I see no change in response it still resolves : > > cname=*.bestbuy.com,blackhole.inv > > If I use the direct name www.bestbuy.com > > cname=www.bestbuy.com,blackhole.inv > > then it works and I get : > $ host www.bestbuy.com > www.bestbuy.com is an alias for blackhole.inv. > blackhole.inv has address 127.0.0.1 > > But for this example what I want is to make this replied cname > www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired > wildcard > version or the full name work. www.bestbuy.com still resolves. > > Tried these variations of what is in the replies to www.bestbuy.com > > cname=*.edgekey.net,blackhole.inv > >
Re: [Dnsmasq-discuss] CNAME filtering
On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote: On Mon, Mar 22, 2021 at 03:19:00AM +, dnsmasqlist2...@rscubed.com wrote: Hi, I am trying to do some CNAME filtering but it is not working for me... I'm picking a random domain that has cascading CNAMEs I am going to try to filter for an example here. /etc/hosts 127.0.0.1 blackhole.inv For my DNSMasq config I add (some of this may be redundant) the lines below to kill dnsdelegation.io as an example : cname=*.dnsdelegation.io,blackhole.inv cname=dnsdelegation.io,blackhole.inv local=/.dnsdelegation.io/ In theory one of the above should set dnsdelegation.io to 127.0.0.1 a domain with cascading CNAMEs : jwxbwt.theaffordableartcompany.com.au --- When I do host I get : $ host jwxbwt.theaffordableartcompany.com.au jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io. dnsdelegation.io is an alias for gum.criteo.com. gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com. gum.va1.vip.prod.criteo.com has address 74.119.119.139 --- In DNSMasq Logs I see : 1 - 192.168.1.3 == DNSMasq request 2 - 192.168.1.7 == forwarded to Upstream DNS 3 - Returned reponse containing 4 Replies in one DNS packet 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139 --- TCPDump shows upstream DNS returns all replies in 3 above in a single packet IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55) IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160) --- It looks like the filtering is being bypassed because multiple replies are all within a response from the upstream server so dnsdelegation.io is not seen and filtered ??? Do I need to do something to get DNSMasq to apply the filters to the responses from the upstream to filter them or is this not currently possible ? I expect if regular companies are doing what we see above the next generation of malicious domains will be using this technique also so we want to get the jump on them and have methods to defend against them in place. thanks Matt I wonder if option -h, --no-hosts Don't read the hostnames in /etc/hosts. is maybe active. And the cname=*.dnsdelegation.io,blackhole.inv cname=dnsdelegation.io,blackhole.inv local=/.dnsdelegation.io/ looks odd. Expiriment with removing the `local=` line. Karma points for reporting back. Groeten Geert Stappers P.S. I would have "CNAME filtering" named "CNAME intercepting" -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss If I use www.bestbuy.com as an example I see 8683 192.168.1.3/34112 query[] www.bestbuy.com from 192.168.1.3 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7 8682 192.168.1.3/34112 reply www.bestbuy.com is 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179 the cname wildcard was added in version 2.77 according to changelog If I add a wildcard cname I see no change in response it still resolves : cname=*.bestbuy.com,blackhole.inv If I use the direct name www.bestbuy.com cname=www.bestbuy.com,blackhole.inv then it works and I get : $ host www.bestbuy.com www.bestbuy.com is an alias for blackhole.inv. blackhole.inv has address 127.0.0.1 But for this example what I want is to make this replied cname www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired wildcard version or the full name work. www.bestbuy.com still resolves. Tried these variations of what is in the replies to www.bestbuy.com cname=*.edgekey.net,blackhole.inv cname=www.bestbuy.com.edgekey.net,blackhole.inv cname=e5816.x.akamaiedge.net,blackhole.inv cname=*.akamaiedge.net,blackhole.inv I also tried adding edgekey.net to /etc/hosts and doing cname=*.edgekey.net,edgekey.net But this also had not affect on www.bestbuy.com resolving/ I'm guessing because these are all in replies that are not looked at ??? Matt ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] CNAME filtering
On Mon, Mar 22, 2021 at 03:19:00AM +, dnsmasqlist2...@rscubed.com wrote: > > Hi, > > I am trying to do some CNAME filtering but it is not working for me... > > I'm picking a random domain that has cascading CNAMEs I am going to try to > filter for an example here. > > /etc/hosts > 127.0.0.1 blackhole.inv > > For my DNSMasq config I add (some of this may be redundant) the lines below > to kill dnsdelegation.io as an example : > > cname=*.dnsdelegation.io,blackhole.inv > cname=dnsdelegation.io,blackhole.inv > local=/.dnsdelegation.io/ > > In theory one of the above should set dnsdelegation.io to 127.0.0.1 > > a domain with cascading CNAMEs : > > jwxbwt.theaffordableartcompany.com.au > > --- > > When I do host I get : > > $ host jwxbwt.theaffordableartcompany.com.au > jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io. > dnsdelegation.io is an alias for gum.criteo.com. > gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com. > gum.va1.vip.prod.criteo.com has address 74.119.119.139 > > --- > > In DNSMasq Logs I see : > > 1 - 192.168.1.3 == DNSMasq request > 2 - 192.168.1.7 == forwarded to Upstream DNS > 3 - Returned reponse containing 4 Replies in one DNS packet > > 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] > jwxbwt.theaffordableartcompany.com.au from 192.168.1.3 > 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded > jwxbwt.theaffordableartcompany.com.au to 192.168.1.7 > 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply > jwxbwt.theaffordableartcompany.com.au is > dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is > dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is > dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is > 74.119.119.139 > > --- > > TCPDump shows upstream DNS returns all replies in 3 above in a single packet > > IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? > jwxbwt.theaffordableartcompany.com.au. (55) > IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME > gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160) > > --- > > It looks like the filtering is being bypassed because multiple replies are > all within a response from the upstream server so dnsdelegation.io is not > seen and filtered ??? > > Do I need to do something to get DNSMasq to apply the filters to the > responses from the upstream to filter them or is this not currently possible > ? > > I expect if regular companies are doing what we see above the next > generation of malicious domains will be using this technique also so we want > to get the jump on them and have methods to defend against them in place. > > thanks > > Matt > I wonder if option -h, --no-hosts Don't read the hostnames in /etc/hosts. is maybe active. And the > cname=*.dnsdelegation.io,blackhole.inv > cname=dnsdelegation.io,blackhole.inv > local=/.dnsdelegation.io/ looks odd. Expiriment with removing the `local=` line. Karma points for reporting back. Groeten Geert Stappers P.S. I would have "CNAME filtering" named "CNAME intercepting" -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss