<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Okay, I understand. I think one possible defense would be
enabling dnssec validation. I doubt CitiBαnk.com. can be
registered at any serious domain. I am quite sure .com domain has
rules to disallow registering that. The reason is obvious and you
are not the only one thinking about that. There are even more
similar letters in other alphabets. I still think the proper place
for defenses are at domain registrars. I doubt that name is
possible to register in any common TLD, there would be a lot of
people registering that already, just to misuse them. So basic
protection against that is already in place. Can you name any real
registered domain, which impersonates similar domain this way?<br>
</p>
<p>It seems to me more proper protection would be using some
recursive server applying additional block lists, which would
block problematic domains. Creating and maintaining such list is
more difficult than rejecting all IDN domains, but should provide
significantly more security. Sadly nothing we can implement at
simple cache as is dnsmasq. I understand US citizens do not
consider non-ASCII names important or even suspicious, but I doubt
very much they posses significant danger to any your network
users. I am quite sure common TLD do not allow names differing in
just few letters, others would be suspicious right away even to
your children.</p>
<p>Seriously, if you want better protection, use real kind of
protection instead. Something like servers 1.1.1.2 or 1.0.0.2
offering serious protection. Visit [1], other providers often have
similar alternatives. I think hacks like you are proposing will
offer just false sense of "more secure" network. Attackers often
upload malicious code to genuine domains because of unfixed
security issues. Bots are searching for such holes all over the
internet. Expectation that such attacks will come just from
strange looking domains only is very naive.</p>
<p>But if you would insist, I am thinking whether some scriptable
rules written for example in lua could be supported in dnsmasq.
Something which could test queried name dynamically, without
listing all idn domains as blocked explicitly. I am not sure
whether regular expressions filter would be enough. Rejecting any
name matching "\.xn--.*" or "xn--.*" might be able to reject name
containing IDN anywhere in the name. I think there are more
important features missing.</p>
<p>Just my 2 cents,<br>
Petr<br>
</p>
<p><code>[1] <a class="moz-txt-link-freetext" href="https://developers.cloudflare.com/1.1.1.1/setup/">https://developers.cloudflare.com/1.1.1.1/setup/</a></code><code></code></p>
<div class="moz-cite-prefix">On 5/11/23 19:18,
<a class="moz-txt-link-abbreviated" href="mailto:burton@burtonstrauss.us">burton@burtonstrauss.us</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:015301d9842c$9f137420$dd3a5c60$@burtonstrauss.us">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-ligatures:none;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">The use case I'm defending against have
been recent reports of standard <b>looking</b> domains with
Greek or Cyrillic characters that appear like very similar to
their Western alphabet counterparts: CitiBank.com vs.
CitiB(Greek alpha)nk.com, (I don’t think this comes through
the mailing list) CitiBank.com vs. CitiBαnk.com.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I click on the link and maybe behind the
page, the browser translates it to something else, but all I
see is what looks like my Bank’s URL until it’s too late.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><a
href="https://www.whois.com/whois/citibank.com"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.whois.com/whois/citibank.com</a><o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><a
href="https://www.whois.com/whois/citib%CE%B1nk.com"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.whois.com/whois/citib%CE%B1nk.com</a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">BTW, that last domain is available!<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If once a year that means I can’t
download the driver for my LILYGO T-SIM7000G without special
effort… s’be’it. That would be a purposeful measured action. I
know it’s narrow minded and everything, for my
personal/household daily surfing, I’m just not interested in
IDN (<a href="https://newgtlds.icann.org/en/about/idns"
moz-do-not-send="true" class="moz-txt-link-freetext">https://newgtlds.icann.org/en/about/idns</a>).
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Given that the risks are real, I’m back
in the white-bread ‘murica only Internet where a URI/URL was<o:p></o:p></p>
<pre> “<span style="color:black">A URI is composed from a limited set of characters consisting of<o:p></o:p></span></pre>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"> digits,
letters, and a few graphic symbols. A reserved subset of<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"> those
characters may be used to delimit syntax components within a<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"> URI while the
remaining characters, including both the unreserved set<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"> and those
reserved characters not acting as delimiters, define each<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"> component's
identifying data.” </span>(RFC3986, RFC3305 or even
earlier)<span
style="font-size:10.0pt;font-family:"Courier
New";color:black;mso-ligatures:none"><o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Specific answers to your ?s: “Burton,
the feature you are asking for would be blocking IDNA
domains?” YES<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">As for your scale question, my firewall
is a disgustingly beefy 65W i5-8400 (Coffee Lake) with 6 cores
and 24Gb of RAM. Load average is 0.00. Free memory is 22.9GiB.
I upgraded packages this morning and dnsmasq has used 7
seconds of CPU in 5 hours.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">(What can I say? It was the cheap box
that week at MicroCenter when I went shopping – in my hands
NOW instead of waiting two weeks for box half as capable to
save $100??) (Could I run it as a VM on my ESXi box? Sure – I
used to do that before I decided to use a real NIC for the
firewall instead of a USB “gigabit” ethernet adapter) (But
where is the fun in THAT?)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Burton<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Dominik Derigs <a class="moz-txt-link-rfc2396E" href="mailto:dl6er@dl6er.de"><dl6er@dl6er.de></a> <br>
Sent: Thursday, May 11, 2023 11:40 AM<br>
To: Petr Menšík <a class="moz-txt-link-rfc2396E" href="mailto:pemensik@redhat.com"><pemensik@redhat.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk">dnsmasq-discuss@lists.thekelleys.org.uk</a>; B@us
<a class="moz-txt-link-rfc2396E" href="mailto:burton@burtonstrauss.us"><burton@burtonstrauss.us></a><br>
Subject: Re: [Dnsmasq-discuss] Filtering non-latin1 or
non-ASCIII dns requests?</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hey Burton and Petr,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On Wed, 2023-05-10 at 21:12 -0500, B@us
wrote:<o:p></o:p></p>
<p class="MsoPlainText">> domains that don’t match
\.[A-Za-z0-9]\.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">You'd probably want to allow for - and _
too but Petr has the better idea how to achieve this:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On Thu, 2023-05-11 at 17:56 +0200, Petr
Menšík wrote:<o:p></o:p></p>
<p class="MsoPlainText">> reject all IDN names, which start
with xn-- prefix<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Even when truly non-ASCII domains would
be possible (dig äöü), none of the larger registrars allow
registering such domains directly and will always Punycode
translation of the Unicode representation of the
language-specific alphabet.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Burton, the feature you are asking for
would be blocking IDNA domains?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Petr, I concur that this should be
handled at a larger scale, however, I do also think it'd be
okay to have such a feature when the administrator of a local
dnsmasq says that international domains aren't something that
will happen at their place and wants some extra protection
against such letter confusion "attacks".<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Best<o:p></o:p></p>
<p class="MsoPlainText">Dominik<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Dnsmasq-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="https://www.redhat.com/">https://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>