-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wildcard Support in Firewall Alias - Type Host(s) #4145
Comments
long story short, you can't (easily) request all existing records for a (top) level domain. https://stackoverflow.com/questions/19322962/how-can-i-list-all-dns-records Our aliases resolve on intervals and capture the associated addresses in a table, which only works if you can determine addresses up front. You can add domain overrides in unbound and prevent the clients from resolving, which is what most of the blacklist solutions use as well. A more complex solution would be to capture unbounds responses and add those to a table, this is however outside the scope of our project. |
If the issue was for blacklisting i wouldn't mind as i would use unbound. This is more for traffic direction to negate a proxy and then pass the traffic through a VPN. |
This is becoming a more common feature in firewalls. Several vendors already have support for it. As cloud usage expands, DNS names are becoming more dynamic by nature. Here are several examples of the feature from other vendors: Trying to request all DNS records of a domain is a futile effort, as is trying to perform reverse DNS lookups. Generally, the way this feature works in other products is by listening to DNS requests as they pass through the device. The listening service keeps a local table of DNS names and IPs as appropriate for the aliases that have DNS names configured. Either the firewall consults the table when applying rules, or the DNS service updates the alias definitions as DNS requests come through. There are probably other implementations that would work as well. The obvious challenge in wildcard-based rules is keeping everything in sync. A query now, may net different results from a query later. Queries performed by the firewall my net different replies from a client making the same DNS query. The firewall rules must always contain the exact IPs that are sent to DNS clients. A user in the pfsense reddit explained it fairly concisely.
A common usage of this feature is to make dynamic rules to allow CDN based services. The domain names used by CDNs often change, come and go as demands ebb and flow. Using known FQDNs is just not an option as cloud DNS names are often ephemeral. This is different from the utility of a DNS blacklist because the decision to allow or deny is not made at the DNS resolver, but instead in a firewall rule designed to allow the client's traffic to reach its destination. Instead of preventing a client from reaching the destination, it's allowing a client to reach ONLY specific destinations. Another usage of this feature is with policy-based routing, and sending traffic destined for Amazon Prime servers out my WAN interface instead of the VPN interface. Amazon Prime disables their service while connecting via a known VPN provider. Here is an example of an Amazon Prime DNS name: I wouldn't be surprised if this DNS name was created just for me, just to stream this one video, or even a segment of this one video. This could easily be captured in a wildcard entry such as *.amazonvideo.com |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Agreed with @agh1467 that wildcard support would be great Our primary firewall is proprietary and supports wildcard domains however I'm unable to completely move to pfSense because that support is required by some of our services |
I agree, would be nice, in my use case I would need it to create a firewall rule to allow *.api.letsencrypt.com to connect to my NGINX to validate LetsEncrypt certs. My OPNsense only allows one country (GeoIP) to connect to my webserver by default. Now I need to enable two rules to allow everyone to connect to validate and then I can disable them again. It's not much, but it's manual labor... |
Is there already a feature request for this? Will only allow the company cell phone to connect to port 443 * .eu.blackberry.net via TCP and nothing more. Unfortunately I have to enter the server IPs manually. |
This only works for proxy as the firewall cant guess any FQDN |
That is not right 🙃 Take a look at the documentation 🤓 I created an alias: BlackBerry_Servers, and added the addresses:
which are also resolved:
under: Firewall: Diagnostics: Aliases 😎 and the alias work in the firewall-rules |
But you cannot create one alias *.Blackberry.net which would resolve all possible FQDNs into one list ;) |
I am currently evaluating OPNsense as I might migrate from Sophos XG to it. |
Maybe this tool might be a good starting point? -> Knock or https://securitytrails.com/blog/subdomain-scanner-find-subdomains |
I just used Knock and all the hits a outputted are the same as on Sophos XG. So maybe a solution?! Althought I don't know if BSD can run Python3 |
As @agh1467 mentioned, it works flawlessly in the Fortigate I use. Basically, once the wildcard is set in the subdomain, the firewall seems to wait for DNS queries of any subdomains that match the wildcard, and once it gets one + a hit on the firewall rule, it resolves it and caches the sub-domain and IP. My impression is that it is either, that or perhaps it does a reverse lookup of new IPs before they are processed by the rules, then if the resolved IP matches the wildcard, it caches that specific IP against the wildcard & proceeds to process firewall rules. Whatever the case, wildcard FQDNs remain unresolved until there is an attempt to access a matching subdomain and the wildcard FQDN receives a hit by the firewall rules. |
Wow .. what would happen if you brute force a domain with a wildcard A record 😀 |
Do you mean that such a function introduces a vulnerability, and firewalls supporting it are exposed to that risk? |
This just only works if you either snif dns traffic to feed the alias logic or let the resolver (unbound) pass the requested domains. Since we fetch in advance, you can't really do wildcards like this... but I think I already explained that. when it's not really a fine grained policy restriction (lock youtube for all), an alias in the resolver usually does the trick as well. Sniffing / listing to dns requests (which is probably what the others do) will eventually stop working as well when more and more dns traffic is being encrypted anyway. |
@inferKNOX You can accomplish this today using dnsmasq.
Run a test DNS query, then check the contents of the new table (Firewall > Diagnostics > Aliases > hosts_from_dns) to see it populate. You can use this alias (hosts_from_dns) in firewall rules. (Despite the config option being named "ipset", dnsmasq will use BSD pf tables or nftables depending on the OS.) Edit: Updated steps to clarify that the type should be "External (Advanced)" and commented out the Unbound loop mitigation by default. Removed the mitigation for the Aliases Resolver Interval. |
Make sure you choose |
Hey all, I tried @modest 's solution using dnsmasq and it does function and supports subdomains. dnsmasq log sample creating entries for the primary domain, and subdomains equally:
All of the IPs are grouped together in the table.
It does work for both NAT/Outbound, and Rules.
I tried this set up with and without this and functionality was the same, and I did not experience the table being cleared. An apparent limitation of this dnsmasq functionality is that the TTL for DNS records is not considered, and IPs added to the set remain in the set forever. Used with a CDN service, the table may become huge. I'd guess it may have a negative impact on performance at some point depending on hardware, the number of records in the table, and the frequency and number of requests made by clients. The only configuration file modification that was necessary for this was to specify a single ipset value: For reference:
Other specific configurations, were available in the web UI. However, there is no interface for specifying ipset values. I'd guess that wouldn't happen until the interface is updated to MVC, where it could use an ArrayField with a CSVListField for storing the domain names. I saw in the logs that dnsmasq created the table when it didn't exist, which is good, and it would just add IPs to a given table that already exists, so it doesn't seem like there would be a risk of clobbering an existing table. And as @AdSchellevis mentioned, the External type should be used here. Since the pf tables populated by dnsmasq/ipset and the aliases look the same, I'd guess that they would function similarly (only the content wouldn't be stored in the config, and would clear periodically whenever that alias content is saved), I'd also guess that's why Aliases Resolve Interval is being set to 0 to prevent that process from clearing the table. All in all, it seems like a pretty good work around with some limitations which should be considered on a per-implementation basis. I wonder if this functionality could be integrated into the Aliases interface...hmmm maybe using a new Alias type? |
Thanks. I've confirmed that the Aliases Resolve Interval no longer clears the table/alias when the type is set to External. Updated my comment to remove this mitigation.
This is true. And, just to get ahead of anyone who might try the an incorrect solution: While There's a (very ugly) workaround to the infinite growth issue using 2 tables/aliases. You can either (a) have dnsmasq add all IPs to 2 ipsets (e.g.
Please please please :)
Tip: You can tell dnsmasq to add all IP addresses to an ipset with |
Hello, I wish to introduce this functionality within my OPNsense. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[-] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[-] I have searched the existing issues and I'm convinced that mine is new.
Hi All,
Is it possible to add the feature to include wildcard support in Firewall Alias groups? At the moment rather than going *.somedomain.com to white list all subdomains i need to manually add each one like so: first.somedomain.com, second.somedomain.com etc...
This can get irritating when i have many subdomains to add which are near identical. In some instances the only way to obtain all domains is to run through Unbound logs to find the single sub domain i missed which drags out the process.
Thanks
The text was updated successfully, but these errors were encountered: