Re: DNS lookups for hostnames in PF tables
hi ok try to explain how it works after i resolve an name , i got one or more ips they add to the pf table by pfctl -ttablename -Tadd resolvedip(s) all these ips have an internal expire time . i compare this time on any interval with the current time . if the get the tame ip from the resolve i renew the expiretime tu courrent. if i never get the same ip again the delete the ip from pf table afer the expiretime is over. i run the daemon with an expire time from 4 hours and it works fine. addional i drop the internal ip list to a file that you can use for a reload of the firewall rules. it dosen't matter if you have an name that change the ip quickly ( DNS TTL 30 for example ) , or the dns reponse have multiple ip addresses. i hope the explanation make clear what i do with the deamon. holger p.s. excuse my ugly english On 9 September 2011 08:54, Holger Glaess gla...@glaessixs.de wrote: hi i wrote a perl daemon to handle all these situations. he resolv the servername and add or delete the ip(s) to an spezific table. maybe it's time to work on a package for ports. holger Maybe I'm terribly confused (so bear with me), but isn't the trouble with these round-robin DNS CDN type of situations that most near any A record resolution request is likely to return a different IP address than before? So given that, how would updating your pf.conf (table) with a given IP (even a few given IPs) do any good if you're not also running a proxy server or DNS server? I mean, wouldn't this just cause your Perl daemon to dutifully update a table for, say, hostname.tld to IP w.x.y.z, only to have the next client just moments later get a response of IP a.b.c.d from the remote DNS server? Which at that point in time wouldn't be covered by your PF table/rules at all? Am I terribly confused? What am I missing? regards, --ropers
Re: DNS lookups for hostnames in PF tables
On 09/09/11 20:08, ropers wrote: On 9 September 2011 08:54, Holger Glaess gla...@glaessixs.de wrote: hi i wrote a perl daemon to handle all these situations. he resolv the servername and add or delete the ip(s) to an spezific table. maybe it's time to work on a package for ports. holger Maybe I'm terribly confused (so bear with me), but isn't the trouble with these round-robin DNS CDN type of situations that most near any A record resolution request is likely to return a different IP address than before? So given that, how would updating your pf.conf (table) with a given IP (even a few given IPs) do any good if you're not also running a proxy server or DNS server? I mean, wouldn't this just cause your Perl daemon to dutifully update a table for, say, hostname.tld to IP w.x.y.z, only to have the next client just moments later get a response of IP a.b.c.d from the remote DNS server? Which at that point in time wouldn't be covered by your PF table/rules at all? Am I terribly confused? What am I missing? I used to work at a company where we had a firewall that permitted DNS names in the filtering rules. MAN did we have some fun and excitement caused by that. Once in a while, someone in the company would get the This page has been blocked message when going to google.com...which was clearly NOT a place we were trying to block. But very, very rarely, and only individual people...not the entire company. And usually not at home office where one of us could get up and take a look at the problem. Took quite some time before it happened to someone where we could investigate hands-on. Turned out that someone had decided to block the Google Talk instant messenger service...and turns out that Google does what several big companies do -- has huge farms of servers, with DNS direction to any of them, then name-based and service-based direction beyond that. So, the google talk block ended up being mostly ineffective, but once in a while, it DID block www.google.com (and gmail and ...) dig www.disney.com dig www.espn.com discovered this pair when explaining how the Internet worked to a high school class probably about six or seven years ago. Give me a domain name espn.com! ok, let's find the IP address X.X.X.x ok, now punch that into your browser's URL box, hit enter and what do you get? Disney! um. ok, Wasn't planning on covering this topic, but ... In short... dns to address blocking is not the right way to do this. I have found DNS mangling at the dns server is much more effective. There are a number of theoretical problems with this, but in Real Life, it works pretty well, and a lot easier to set up than the technically superior solutions (which seem to have a higher real-life issue rate). Nick.
Re: DNS lookups for hostnames in PF tables
hi i wrote a perl daemon to handle all these situations. he resolv the servername and add or delete the ip(s) to an spezific table. maybe it's time to work on a package for ports. holger On 2011-09-08, Gerard Lally ger...@netmail.ie wrote: Hi. First post. Beginner- to intermediate user. How does PF update a table with hostnames resolved by round-robin DNS? Is it just the first DNS response that is added to the table, or multiple DNS responses? $ echo 'match to facebook.com' | pfctl -nvf - match inet from any to 69.63.189.11 match inet from any to 69.63.181.12 match inet from any to 69.63.189.16 it takes all records from the response, but doesn't track updates. For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? Yes, I do know this should be done with Squid, and I am using Squid for this purpose, but I am inquiring just out of curiosity. simpler to poison the DNS with your own local records for somedomain.com; preferably at the resolver, if not there then dnsspoof (in dsniff) might be workable.
Re: DNS lookups for hostnames in PF tables
On 9 September 2011 08:54, Holger Glaess gla...@glaessixs.de wrote: hi i wrote a perl daemon to handle all these situations. he resolv the servername and add or delete the ip(s) to an spezific table. maybe it's time to work on a package for ports. holger Maybe I'm terribly confused (so bear with me), but isn't the trouble with these round-robin DNS CDN type of situations that most near any A record resolution request is likely to return a different IP address than before? So given that, how would updating your pf.conf (table) with a given IP (even a few given IPs) do any good if you're not also running a proxy server or DNS server? I mean, wouldn't this just cause your Perl daemon to dutifully update a table for, say, hostname.tld to IP w.x.y.z, only to have the next client just moments later get a response of IP a.b.c.d from the remote DNS server? Which at that point in time wouldn't be covered by your PF table/rules at all? Am I terribly confused? What am I missing? regards, --ropers
Re: DNS lookups for hostnames in PF tables
On Wednesday, September 07, 2011 11:13 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: How does PF update a table with hostnames resolved by round-robin DNS? Is it just the first DNS response that is added to the table, or multiple DNS responses? pf doesn't do this, since it is in the kernel. pf only knows about addresses. It does not know about hostnames. pfctl is what is doing this; so this DNS translation happens when you run pfctl. So it depends on whether your pf.conf is dynamically adding it each time you run it. And if you only run pfctl once... For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? No. What you want is to expand to all of the addresses. Since address keep being added for such hostnames on the fly, it won't work. Thank you Theo.
Re: DNS lookups for hostnames in PF tables
On Thu, Sep 8, 2011 at 01:13, Theo de Raadt dera...@cvs.openbsd.org wrote: For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? No. B What you want is to expand to all of the addresses. B Since address keep being added for such hostnames on the fly, it won't work. Blocking those hosts by IP is highly impractical given the reasons you noted, and I'll add that it's usually a *really* bad idea to block the CDNs by IP unless Gerard also wants to block his users from Microsoft's update service, support.dell.com and a few other big names. Been there, done that, suffered the resulting black eye. Gerard - if this is to meet some policy that you can't influence then use Squid with wildcards on the domains, play tricks in DNS if you need to, then hope your users aren't proxying connections via outside connections - all they need is one arbitrary port open to one arbitrary host and you can be completely blind to what they're doing. If you *can* influence the policy, consider a default deny with whitelisting for necessary destinations/ports. kmw
Re: DNS lookups for hostnames in PF tables
On 2011-09-08, Gerard Lally ger...@netmail.ie wrote: Hi. First post. Beginner- to intermediate user. How does PF update a table with hostnames resolved by round-robin DNS? Is it just the first DNS response that is added to the table, or multiple DNS responses? $ echo 'match to facebook.com' | pfctl -nvf - match inet from any to 69.63.189.11 match inet from any to 69.63.181.12 match inet from any to 69.63.189.16 it takes all records from the response, but doesn't track updates. For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? Yes, I do know this should be done with Squid, and I am using Squid for this purpose, but I am inquiring just out of curiosity. simpler to poison the DNS with your own local records for somedomain.com; preferably at the resolver, if not there then dnsspoof (in dsniff) might be workable.
Re: DNS lookups for hostnames in PF tables
$ echo 'match to facebook.com' | pfctl -nvf - match inet from any to 69.63.189.11 match inet from any to 69.63.181.12 match inet from any to 69.63.189.16 it takes all records from the response, but doesn't track updates. If we blocked Facebook at work in Sweden, all employees would leave in a couple of minutes. Seriously. ;) /Johan
DNS lookups for hostnames in PF tables
Hi. First post. Beginner- to intermediate user. How does PF update a table with hostnames resolved by round-robin DNS? Is it just the first DNS response that is added to the table, or multiple DNS responses? For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? Yes, I do know this should be done with Squid, and I am using Squid for this purpose, but I am inquiring just out of curiosity. -- Gerard Lally
Re: DNS lookups for hostnames in PF tables
First post. Beginner- to intermediate user. How does PF update a table with hostnames resolved by round-robin DNS? Is it just the first DNS response that is added to the table, or multiple DNS responses? pf doesn't do this, since it is in the kernel. pf only knows about addresses. It does not know about hostnames. pfctl is what is doing this; so this DNS translation happens when you run pfctl. So it depends on whether your pf.conf is dynamically adding it each time you run it. And if you only run pfctl once... For example, is it possible to block a well-known social networking site which resolves to multiple IP addresses, using a PF table socialnet with just the hostname of the website? No. What you want is to expand to all of the addresses. Since address keep being added for such hostnames on the fly, it won't work.