[Dnsmasq-discuss] CNAME filtering

dnsmasqlist2021 at rscubed.com dnsmasqlist2021 at rscubed.com
Tue Mar 23 00:52:44 UTC 2021 

On Mon, 22 Mar 2021, Dominick C. Pastore wrote:

> On Mon, Mar 22, 2021, at 2:07 PM, dnsmasqlist2021 at rscubed.com wrote:
>>
>> On Mon, 22 Mar 2021, Geert Stappers via Dnsmasq-discuss wrote:
>>
>>> On Mon, Mar 22, 2021 at 03:19:00AM +0000, dnsmasqlist2021 at rscubed.com wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am trying to do some CNAME filtering but it is not working for me...
>>>>
>>>> I'm picking a random domain that has cascading CNAMEs I am going to try to
>>>> filter for an example here.
>>>>
>>>> /etc/hosts
>>>> 127.0.0.1 blackhole.inv
>>>>
>>>> For my DNSMasq config I add (some of this may be redundant) the lines below
>>>> to kill dnsdelegation.io as an example :
>>>>
>>>> cname=*.dnsdelegation.io,blackhole.inv
>>>> cname=dnsdelegation.io,blackhole.inv
>>>> local=/.dnsdelegation.io/
>>>>
>>>> In theory one of the above should set dnsdelegation.io to 127.0.0.1
>>>>
>>>> a domain with cascading CNAMEs :
>>>>
>>>> jwxbwt.theaffordableartcompany.com.au
>>>>
>>>> ---
>>>>
>>>> When I do host I get :
>>>>
>>>> $ host jwxbwt.theaffordableartcompany.com.au
>>>> jwxbwt.theaffordableartcompany.com.au is an alias for dnsdelegation.io.
>>>> dnsdelegation.io is an alias for gum.criteo.com.
>>>> gum.criteo.com is an alias for gum.va1.vip.prod.criteo.com.
>>>> gum.va1.vip.prod.criteo.com has address 74.119.119.139
>>>>
>>>> ---
>>>>
>>>> In DNSMasq Logs I see :
>>>>
>>>> 1 - 192.168.1.3 == DNSMasq request
>>>> 2 - 192.168.1.7 == forwarded to Upstream DNS
>>>> 3 - Returned reponse containing 4 Replies in one DNS packet
>>>>
>>>> 1 - dnsmasq[26607]: 11 192.168.1.3/57917 query[A] jwxbwt.theaffordableartcompany.com.au from 192.168.1.3
>>>> 2 - dnsmasq[26607]: 11 192.168.1.3/57917 forwarded jwxbwt.theaffordableartcompany.com.au to 192.168.1.7
>>>> 3 - dnsmasq[26607]: 11 192.168.1.3/57917 reply jwxbwt.theaffordableartcompany.com.au is <CNAME>
>>>>     dnsmasq[26607]: 11 192.168.1.3/57917 reply dnsdelegation.io is <CNAME>
>>>>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.criteo.com is <CNAME>
>>>>     dnsmasq[26607]: 11 192.168.1.3/57917 reply gum.va1.vip.prod.criteo.com is 74.119.119.139
>>>>
>>>> ---
>>>>
>>>> TCPDump shows upstream DNS returns all replies in 3 above in a single packet
>>>>
>>>> IP x.x.x.x.42759 > 192.168.1.7.53: 29157+ A? jwxbwt.theaffordableartcompany.com.au. (55)
>>>> IP 192.168.1.7.53 > x.x.x.x.42759: 29157 4/0/0 CNAME dnsdelegation.io., CNAME gum.criteo.com., CNAME gum.va1.vip.prod.criteo.com., A 74.119.119.139 (160)
>>>>
>>>> ---
>>>>
>>>> It looks like the filtering is being bypassed because multiple replies are
>>>> all within a response from the upstream server so dnsdelegation.io is not
>>>> seen and filtered ???
>>>>
>>>> Do I need to do something to get DNSMasq to apply the filters to the
>>>> responses from the upstream to filter them or is this not currently possible
>>>> ?
>>>>
>>>> I expect if regular companies are doing what we see above the next
>>>> generation of malicious domains will be using this technique also so we want
>>>> to get the jump on them and have methods to defend against them in place.
>>>>
>>>> thanks
>>>>
>>>> Matt
>>>>
>>>
>>> I wonder if option
>>>
>>>       -h, --no-hosts
>>>              Don't read the hostnames in /etc/hosts.
>>>
>>>
>>> is maybe active.
>>>
>>>
>>> And the
>>>> cname=*.dnsdelegation.io,blackhole.inv
>>>> cname=dnsdelegation.io,blackhole.inv
>>>> local=/.dnsdelegation.io/
>>> looks odd.  Expiriment with removing the `local=` line.
>>>
>>>
>>> Karma points for reporting back.
>>>
>>>
>>> Groeten
>>> Geert Stappers
>>>
>>>
>>> P.S.
>>> I would have "CNAME filtering" named "CNAME intercepting"
>>> --
>>> Silence is hard to parse
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>>
>>
>> If I use www.bestbuy.com as an example I see
>>
>> 8683 192.168.1.3/34112 query[AAAA] www.bestbuy.com from 192.168.1.3
>> 8683 192.168.1.3/34112 forwarded www.bestbuy.com to 192.168.1.7
>> 8682 192.168.1.3/34112 reply www.bestbuy.com is <CNAME>
>> 8682 192.168.1.3/34112 reply www.bestbuy.com.edgekey.net is <CNAME>
>> 8682 192.168.1.3/34112 reply e5816.x.akamaiedge.net is 184.24.144.179
>>
>> the cname wildcard was added in version 2.77 according to changelog
>> If I add a wildcard cname I see no change in response it still resolves :
>>
>> cname=*.bestbuy.com,blackhole.inv
>>
>> If I use the direct name www.bestbuy.com
>>
>> cname=www.bestbuy.com,blackhole.inv
>>
>> then it works and I get :
>> $ host www.bestbuy.com
>> www.bestbuy.com is an alias for blackhole.inv.
>> blackhole.inv has address 127.0.0.1
>>
>> But for this example what I want is to make this replied cname
>> www.bestbuy.com.edgekey.net goto blackhole.inv and neither the desired wildcard
>> version or the full name work. www.bestbuy.com still resolves.
>>
>> Tried these variations of what is in the replies to www.bestbuy.com
>>
>> cname=*.edgekey.net,blackhole.inv
>>
>> cname=www.bestbuy.com.edgekey.net,blackhole.inv
>>
>> cname=e5816.x.akamaiedge.net,blackhole.inv
>>
>> cname=*.akamaiedge.net,blackhole.inv
>>
>> I also tried adding edgekey.net to /etc/hosts and doing
>> cname=*.edgekey.net,edgekey.net
>> But this also had not affect on www.bestbuy.com resolving/
>>
>> I'm guessing because these are all in replies that are not looked at ???
>>
>>
>> Matt
>
> Ah, so this is similar to a question I had some time ago. In your first email, you asked:
>
>> It looks like the filtering is being bypassed because multiple replies are
>> all within a response from the upstream server so dnsdelegation.io is not
>> seen and filtered ???
>>
>> Do I need to do something to get DNSMasq to apply the filters to the
>> responses from the upstream to filter them or is this not currently possible
>> ?
>
> That is indeed what is happening, and it's not currently possible, unfortunately. Dnsmasq either responds to a request using local info (e.g. /etc/hosts, configuration entries, DHCP leases) *or* forwards it to the upstream server. There's no half-and-half.
>
> As for why "cname=www.bestbuy.com,blackhole.inv" works but "cname=*.bestbuy.com,blackhole.inv" doesn't, that I'm not sure.
>
> Regards,
> Dominick
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>

Ok thanks.

I did check to make sure /etc/hosts was working and switched to a different 
domain for the test with just a single cname config record at a time.

But also not sure why the wildcard cnames are failing when the exact name does 
not. Using dnsmasq-2.85rc1 for these tests.


Matt

More information about the Dnsmasq-discuss mailing list