-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolved: DNS access control and DNS controlled firewalling #17053
Comments
This could be configured with a simple tabular file and drop-ins like:
"Origin" means the source of the DNS request (D-Bus, varlink, UDP). The first line sets up allow-listing but disables firewall control. The second drops requests for IPv6 addresses. |
Sadly I can't find a way to get the SELinux context for the process that sent the UDP DNS packet. I've looked at the following options:
A feature which only works for those who have 1) SELinux and 2) SELinux Networking enabled and 3) Labeled IPSec correctly configured, would probably be too obscure. However, there are still other MAC systems and it's also possible to use more than one concurrently. Does |
And, I just realized that since we can't get the process ID with |
Luckily when using I think requiring |
#17126 implements the first part of this. With only bus access possible, origin and interface restrictions do not make sense. I also dropped the request type (A/AAAA etc) for simplicity. |
Is your feature request related to a problem? Please describe.
It's difficult to make useful firewalls based on filtering IP addresses since the internet operates on DNS domain names but the firewalls actually operate on IP addresses. In simple, static cases it could be possible to resolve the DNS addresses only once at resolver startup (boot etc), but not in general. Especially statically resolving domain names for address pools (e.g.
pool.ntp.org
) at resolver startup would not work as the DNS servers may give a different address each time the name is resolved.Describe the solution you'd like
There are two parts in this idea.
systemd-resolved
, i.e. resolve only domains approved for the requesting service. For example,systemd-timesyncd.service
could be allowed to resolve only*.pool.ntp.org
, but notfacebook.com
(infected service trying to check instructions from botnet C2).systemd-resolved
. As an example for NTP, initially deny all outgoing NTP port access. After a request fromsystemd-timesyncd.service
forpool.ntp.org
has been resolved to an IP address (but before the DNS reply is given back to caller), update the firewall to allow access for NTP for this IP address. The firewall rules would be removed automatically later based on selected conditions.Typical firewalls only enforce global rules for the whole system but with SELinux, it's possible to create firewall rules which use SELinux labels (SELinux networking support). Thus optionally
systemd-resolved
could let SELinux labelntpd_t
(systemd-timesyncd.service
) to access NTP ports ofpool.ntp.org
but deny NTP to other services, or allow APT (Debian package tool) to accessdebian.org
but notbotnet.org
with HTTPS.For 1.,
systemd-resolved
would need to positively identify the service and for SELinux option of 2., the label of the process making the request (withSO_PEERSEC
).The removal logic probably needs to be selected per service. For some services which resolve the server address only once, or always resolve the address before starting the connection, it would be enough to purge previous firewall entries once there's a new request. Some others may look up several host names and use all of them, so the logic should be to keep the addresses, maybe with configurable timeout.
The benefit would be more secure services and much tighter firewalls. 1. would implement simple DNS based access control for services. It would not block accesses with hard coded IP values. 2. would tighten 1. so that even known IP addresses would be blocked, unless a DNS request (subject to rules of 1.) was made in advance.
Part 1. would be already useful without 2.
The text was updated successfully, but these errors were encountered: