Skip to content

wupeka/dnsfire

1 Branch0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

wupekawupeka
Updated bind9 patch
Apr 16, 2019
ea2721c · Apr 16, 2019

History

3 Commits
.gitignore
.gitignore
Apr 15, 2019
CMakeLists.txt
CMakeLists.txt
Apr 15, 2019
README.MD
README.MD
Apr 15, 2019
bind9-dnsfire.patch
bind9-dnsfire.patch
Apr 16, 2019
cmdd.c
cmdd.c
Apr 15, 2019
dnsfire.c
dnsfire.c
Apr 15, 2019
dnsfire.h
dnsfire.h
Apr 15, 2019
ipsetd.c
ipsetd.c
Apr 15, 2019
lookup3.c
lookup3.c
Apr 15, 2019
lookup3.h
lookup3.h
Apr 15, 2019
siphash24.c
siphash24.c
Apr 15, 2019
siphash24.h
siphash24.h
Apr 15, 2019
tht.c
tht.c
Apr 15, 2019
tht.h
tht.h
Apr 15, 2019

Repository files navigation

Proof-of-concept for a DNS Firewall Enforcer, using BIND9 and ipset (or any other CLI-controllable firewall).

What is a DNS Firewall Enforcer

What is a DNS Firewall

DNS Firewall is a solution that prevents users and systems from connecting to malicious services by filtering DNS queries - and not returning the IP addresses of known mailicious services to user.

The problem

Filtering DNS queries is easy - DNS runs on port 53, it's unencrypted, the traffic to outside (unfiltered) resolvers can easily be blocked. The same works with DNS over TLS - it's using a well-known port 853, which can easily be firewalled.

The problem arises with DNS over HTTPS - from a regular firewall standpoint the protocol is indistinguishable from regular HTTPS traffic - so it cannot be properly filtered (unless one strips TLS and does deep packet inspection).

The solution

In most cases a client needs to resolve a domain name to IP address to connect to any service - so a client connecting to an IP address that wasn't resolved by a local DNS is suspicious. DNSFIRE solves the problem by either logging or blocking completely connections to IP addresses that were not resolved using a local, safe, and secure DNS service.

How does it work

BIND9

Apply bind9-dnsfire.patch to bind 9.14/9.15 source tree and rebuild it. Then add:

 dnsfire <key> <ip> port <port>;

somewhere in your options {} section; for example:

 dnsfire 01234567890123456789012345678901 192.168.1.1 port 15353

Key is a 128-bit SipHash-2-4 key used to authenticate requests to the router, just pick a random 32-character hex string.

Router running Linux with iptables and ipset

dnsfire-ipsetd is a daemon that adds timeoutable rules to provided ipsets - one for ipv4, and one for ipv6.

To use it first create two ipsets with timeout support:

ipset create table4 hash:ip family inet timeout 0
ipset create table6 hash:ip family inet6 timeout 0

Then launch dnsfire-ipsetd:

./dnsfire-ipsetd -4 table4 -6 table6 -k 01234567890123456789012345678901 -b 192.168.1.1 -p 15353

If everything is configured correctly you should see IPs being added by looking at output of

ipset list

Currently dnsfire-ipsetd uses command 'ipset' and a system() call to set up new rules, this will be rewritten to use libipset sometime.

Then you can e.g. add a rule to iptables to log traffic to addresses that were not resolved using system resolver:

iptables -I FORWARD -s 192.168.1.0/24 \! -d 192.168.0.0/16 -m conntrack --ctstate NEW -m set \! --match-set table4 dst -j LOG

Any other router

If your router has a CLI command to add and remove allowed IPs use:

./dnsfire-cmdd -4 "echo add_ipv4_to_fw ip=%s" -5 "echo del_ipv4_from_fw ip=%s" -6 "echo add_ipv6_to_fw ip=%s" -7 "echo del_ipv6_from_fw ip=%s"

"%s" is replaced with IP address to be added/deleted. The rest of command line options are the same as with dnsfire-ipsetd.

About

DNS Firewall Enforcer

Resources

Readme
Activity

Stars

49 stars

Watchers

8 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages