[Dnsmasq-discuss] CNAME filtering

Geert Stappers stappers at stappers.nl
Mon Mar 22 06:25:30 UTC 2021 

On Mon, Mar 22, 2021 at 03:19:00AM +0000, dnsmasqlist2021 at rscubed.com wrote:
> 
> Hi,
> 
> I am trying to do some CNAME filtering but it is not working for me...
> 
> I'm picking a random domain that has cascading CNAMEs I am going to try to
> filter for an example here.
> 
> /etc/hosts
> 127.0.0.1 blackhole.inv
> 
> For my DNSMasq config I add (some of this may be redundant) the lines below
> to kill dnsdelegation.io as an example :
> 
> cname=*.dnsdelegation.io,blackhole.inv
> cname=dnsdelegation.io,blackhole.inv
> local=/.dnsdelegation.io/
> 
> In theory one of the above should set dnsdelegation.io to 127.0.0.1
> 
> a domain with cascading CNAMEs :
> 
> jwxbwt.theaffordableartcompany.com.au
> 
> ---
> 
> When I do host I get :
> 
> $ host jwxbwt.theaffordableartcompany.com.au
> jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io.
> dnsdelegation.io is an alias for gum.criteo.com.
> gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com.
> gum.va1.vip.prod.criteo.com has address 74.119.119.139
> 
> ---
> 
> In DNSMasq Logs I see :
> 
> 1 - 192.168.1.3 == DNSMasq request
> 2 - 192.168.1.7 == forwarded to Upstream DNS
> 3 - Returned reponse containing 4 Replies in one DNS packet
> 
> 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3
> 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7
> 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is <CNAME>
>     dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME>
>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME>
>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139
> 
> ---
> 
> TCPDump shows upstream DNS returns all replies in 3 above in a single packet
> 
> IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55)
> IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160)
> 
> ---
> 
> It looks like the filtering is being bypassed because multiple replies are
> all within a response from the upstream server so dnsdelegation.io is not
> seen and filtered ???
> 
> Do I need to do something to get DNSMasq to apply the filters to the
> responses from the upstream to filter them or is this not currently possible
> ?
> 
> I expect if regular companies are doing what we see above the next
> generation of malicious domains will be using this technique also so we want
> to get the jump on them and have methods to defend against them in place.
> 
> thanks
> 
> Matt
> 

I wonder if option

       -h, --no-hosts
              Don't read the hostnames in /etc/hosts.


is maybe active.


And the
> cname=*.dnsdelegation.io,blackhole.inv
> cname=dnsdelegation.io,blackhole.inv
> local=/.dnsdelegation.io/
looks odd.  Expiriment with removing the `local=` line.


Karma points for reporting back.


Groeten
Geert Stappers


P.S.
I would have "CNAME filtering" named "CNAME intercepting"
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list