[Dnsmasq-discuss] CNAME filtering

Dominick C. Pastore dominickpastore at dcpx.org
Mon Mar 22 19:11:35 UTC 2021 

On Mon, Mar 22, 2021, at 2:07 PM, dnsmasqlist2021 at rscubed.com wrote:
> 
> On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote:
> 
> > On Mon, Mar 22, 2021 at 03:19:00AM +0000, dnsmasqlist2021 at rscubed.com wrote:
> >>
> >> Hi,
> >>
> >> I am trying to do some CNAME filtering but it is not working for me...
> >>
> >> I'm picking a random domain that has cascading CNAMEs I am going to try to
> >> filter for an example here.
> >>
> >> /etc/hosts
> >> 127.0.0.1 blackhole.inv
> >>
> >> For my DNSMasq config I add (some of this may be redundant) the lines below
> >> to kill dnsdelegation.io as an example :
> >>
> >> cname=*.dnsdelegation.io,blackhole.inv
> >> cname=dnsdelegation.io,blackhole.inv
> >> local=/.dnsdelegation.io/
> >>
> >> In theory one of the above should set dnsdelegation.io to 127.0.0.1
> >>
> >> a domain with cascading CNAMEs :
> >>
> >> jwxbwt.theaffordableartcompany.com.au
> >>
> >> ---
> >>
> >> When I do host I get :
> >>
> >> $ host jwxbwt.theaffordableartcompany.com.au
> >> jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io.
> >> dnsdelegation.io is an alias for gum.criteo.com.
> >> gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com.
> >> gum.va1.vip.prod.criteo.com has address 74.119.119.139
> >>
> >> ---
> >>
> >> In DNSMasq Logs I see :
> >>
> >> 1 - 192.168.1.3 == DNSMasq request
> >> 2 - 192.168.1.7 == forwarded to Upstream DNS
> >> 3 - Returned reponse containing 4 Replies in one DNS packet
> >>
> >> 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3
> >> 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7
> >> 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is <CNAME>
> >>     dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME>
> >>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME>
> >>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139
> >>
> >> ---
> >>
> >> TCPDump shows upstream DNS returns all replies in 3 above in a single packet
> >>
> >> IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55)
> >> IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160)
> >>
> >> ---
> >>
> >> It looks like the filtering is being bypassed because multiple replies are
> >> all within a response from the upstream server so dnsdelegation.io is not
> >> seen and filtered ???
> >>
> >> Do I need to do something to get DNSMasq to apply the filters to the
> >> responses from the upstream to filter them or is this not currently possible
> >> ?
> >>
> >> I expect if regular companies are doing what we see above the next
> >> generation of malicious domains will be using this technique also so we want
> >> to get the jump on them and have methods to defend against them in place.
> >>
> >> thanks
> >>
> >> Matt
> >>
> >
> > I wonder if option
> >
> >       -h, --no-hosts
> >              Don't read the hostnames in /etc/hosts.
> >
> >
> > is maybe active.
> >
> >
> > And the
> >> cname=*.dnsdelegation.io,blackhole.inv
> >> cname=dnsdelegation.io,blackhole.inv
> >> local=/.dnsdelegation.io/
> > looks odd.  Expiriment with removing the `local=` line.
> >
> >
> > Karma points for reporting back.
> >
> >
> > Groeten
> > Geert Stappers
> >
> >
> > P.S.
> > I would have "CNAME filtering" named "CNAME intercepting"
> > -- 
> > Silence is hard to parse
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> >
> 
> If I use www.bestbuy.com as an example I see
> 
> 8683 192.168.1.3/34112 query[AAAA] www.bestbuy.com from 192.168.1.3
> 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7
> 8682 192.168.1.3/34112 reply www.bestbuy.com is <CNAME>
> 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is <CNAME>
> 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179
> 
> the cname wildcard was added in version 2.77 according to changelog
> If I add a wildcard cname I see no change in response it still resolves :
> 
> cname=*.bestbuy.com,blackhole.inv
> 
> If I use the direct name www.bestbuy.com
> 
> cname=www.bestbuy.com,blackhole.inv
> 
> then it works and I get :
> $ host www.bestbuy.com
> www.bestbuy.com is an alias for blackhole.inv.
> blackhole.inv has address 127.0.0.1
> 
> But for this example what I want is to make this replied cname 
> www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired wildcard 
> version or the full name work. www.bestbuy.com still resolves.
> 
> Tried these variations of what is in the replies to www.bestbuy.com
> 
> cname=*.edgekey.net,blackhole.inv
> 
> cname=www.bestbuy.com.edgekey.net,blackhole.inv
> 
> cname=e5816.x.akamaiedge.net,blackhole.inv
> 
> cname=*.akamaiedge.net,blackhole.inv
> 
> I also tried adding edgekey.net to /etc/hosts and doing
> cname=*.edgekey.net,edgekey.net
> But this also had not affect on www.bestbuy.com resolving/
> 
> I'm guessing because these are all in replies that are not looked at ???
> 
> 
> Matt

Ah, so this is similar to a question I had some time ago. In your first email, you asked:

> It looks like the filtering is being bypassed because multiple replies are
> all within a response from the upstream server so dnsdelegation.io is not
> seen and filtered ???
>
> Do I need to do something to get DNSMasq to apply the filters to the
> responses from the upstream to filter them or is this not currently possible
> ?

That is indeed what is happening, and it's not currently possible, unfortunately. Dnsmasq either responds to a request using local info (e.g. /etc/hosts, configuration entries, DHCP leases) *or* forwards it to the upstream server. There's no half-and-half.

As for why "cname=www.bestbuy.com,blackhole.inv" works but "cname=*.bestbuy.com,blackhole.inv" doesn't, that I'm not sure.

Regards,
Dominick

More information about the Dnsmasq-discuss mailing list