[Dnsmasq-discuss] CNAME filtering

dnsmasqlist2021 at rscubed.com dnsmasqlist2021 at rscubed.com
Mon Mar 22 03:19:00 UTC 2021 

Hi,

I am trying to do some CNAME filtering but it is not working for me...

I'm picking a random domain that has cascading CNAMEs I am going to try to 
filter for an example here.

/etc/hosts
127.0.0.1 blackhole.inv

For my DNSMasq config I add (some of this may be redundant) the lines below to 
kill dnsdelegation.io as an example :

cname=*.dnsdelegation.io,blackhole.inv
cname=dnsdelegation.io,blackhole.inv
local=/.dnsdelegation.io/

In theory one of the above should set dnsdelegation.io to 127.0.0.1

a domain with cascading CNAMEs :

jwxbwt.theaffordableartcompany.com.au

---

When I do host I get :

$ host jwxbwt.theaffordableartcompany.com.au
jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io.
dnsdelegation.io is an alias for gum.criteo.com.
gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com.
gum.va1.vip.prod.criteo.com has address 74.119.119.139

---

In DNSMasq Logs I see :

1 - 192.168.1.3 == DNSMasq request
2 - 192.168.1.7 == forwarded to Upstream DNS
3 - Returned reponse containing 4 Replies in one DNS packet

1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3
2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7
3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is <CNAME>
     dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME>
     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME>
     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139

---

TCPDump shows upstream DNS returns all replies in 3 above in a single packet

IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55)
IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160)

---

It looks like the filtering is being bypassed because multiple replies are all 
within a response from the upstream server so dnsdelegation.io is not seen and 
filtered ???

Do I need to do something to get DNSMasq to apply the filters to the responses 
from the upstream to filter them or is this not currently possible ?

I expect if regular companies are doing what we see above the next generation of 
malicious domains will be using this technique also so we want to get the jump 
on them and have methods to defend against them in place.

thanks

Matt

More information about the Dnsmasq-discuss mailing list