Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

It should be possible to configure a list of IPs synapse will not make outbound connections to #3953

Closed
richvdh opened this issue Sep 25, 2018 · 4 comments
Closed

It should be possible to configure a list of IPs synapse will not make outbound connections to #3953

richvdh opened this issue Sep 25, 2018 · 4 comments
Assignees
@anoadragon453
Labels
Security

Comments

@richvdh
Copy link
Member

richvdh commented Sep 25, 2018

We have url_preview_ip_range_blacklist, but no equivalent for federation requests. The attack surface is of course much smaller, but I still don't like the idea of my synapse going and hitting random HTTP servers within my firewall because someone pointed a DNS record at them. In particular, it's currently possible to make synapse send requests back to itself with a DNS record which resolves to 127.0.0.1
@richvdh richvdh mentioned this issue Sep 25, 2018
Closed
richvdh added a commit that referenced this issue Sep 26, 2018
@richvdh
remove spurious federation checks on localhost
9453c65 
There's really no point in checking for destinations called "localhost" because
there is nothing stopping people creating other DNS entries which point to
127.0.0.1. The right fix for this is
#3953.

Blocking localhost, on the other hand, means that you get a surprise when
trying to connect a test server on localhost to an existing server (with a
'normal' server_name).
@richvdh richvdh mentioned this issue Sep 26, 2018
Merged
@neilisfragile neilisfragile added z-p2 (Deprecated Label) security labels Oct 5, 2018
@richvdh richvdh added p1 and removed z-p2 (Deprecated Label) labels Mar 14, 2019
@anoadragon453 anoadragon453 self-assigned this Apr 9, 2019
@anoadragon453 anoadragon453 mentioned this issue Apr 10, 2019
Merged
@richvdh
Copy link
Member Author

richvdh commented May 13, 2019

fixed by #5043

@richvdh richvdh closed this as completed May 13, 2019
@richvdh richvdh mentioned this issue May 28, 2019
Open
@rubo77
Copy link
Contributor

rubo77 commented Jun 19, 2021

Is it possible to blacklist a domain like this? I got thousands of warnings in my log about a domain, that is not reacheable any more

@anoadragon453
Copy link
Member

@rubo77 We don't support blacklisting a domain (yet), but if you can resolve the DNS to an IP address you should be able to add it to ip_range_blacklist to prevent outbound requests.

Alternatively it could be blocked at the firewall level.

@rubo77
Copy link
Contributor

rubo77 commented Jun 22, 2021
edited
Loading

I guess there is no use to block a domain, that is not reacheable anyway.

I tried this:

  1. I resolve the domain ffpoe.info localy in my /etc/hosts file to a dummy IP 10.13.13.13 (that is not reacheable either)
  2. then I blacklist that IP in ip_range_placklist` and restarted synapse

But this didn't have any effect, I still get errors like

22 06:25:24 localhost matrix-synapse[3903]: 2021-06-22 06:25:24,495 - synapse.handlers.device - 861 - WARNING - _maybe_retry_device_resync-0- Failed to handle device list update for @joachim.stampfer:fpoe.info: Failed to send request: DNSLookupError: DNS lookup failed: no results for hostname lookup: fpoe.info.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@anoadragon453 anoadragon453

Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@callahad @neilisfragile @anoadragon453 @richvdh @rubo77