[Dnsmasq-discuss] domains/IPs involving PTR records not working with nftset
clayton at igalia.com
clayton at igalia.com
Wed Oct 20 19:33:37 UTC 2021
I'm using nftset from dnsmasq master branch to add IPs to an nftables set for a
rule that allows only outbound connections to the IPs in the set, so a sort of
domain/dns whitelist if you will.
There's a problem I'm experiencing where some domains resolve to an IP that in
turn 'resolve' to a PTR(?) to some other IP. The end result is that I see an IP
address that should be in the set that nftables blocks/ignores because it's not,
even though the domain that the IP should be associated with is in the nftset
config for dnsmasq.
For example, I see that dnsmasq resolves gitlab.freedesktop.org to 147.75.198.156:
Oct 20 15:09:50 gateway dnsmasq[455]: nftset add inet filter allowed_addresses 147.75.198.156 freedesktop.org
Oct 20 15:09:50 gateway dnsmasq[455]: reply gitlab.freedesktop.org is 147.75.198.156
Despite that message, nftables does *not* have that IP in the set afterwards:
table inet filter {
set allowed_addresses {
type ipv4_addr
flags interval
elements = { 1.1.1.1, 8.8.4.4,
8.8.8.8, 10.0.2.0/24,
10.42.0.0/24, 46.23.90.166,
51.75.67.47, 83.149.106.143,
94.199.173.123, 108.61.56.35,
127.0.0.1, 127.0.0.53,
147.75.207.209, 172.16.0.0/12,
176.58.120.252, 192.168.1.0/24,
192.168.10.0/24, 192.168.11.0/24,
193.70.45.111, 217.147.223.78 }
}
}
A 'reverse' lookup on the IP shows some PTR record:
[user at system ~]# dig -x 147.75.198.156 @127.0.0.1 -p 5353
; <<>> DiG 9.16.21 <<>> -x 147.75.198.156 @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;156.198.75.147.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 20 19:13:11 UTC 2021
;; MSG SIZE rcvd: 56
And looking up the IP for that returns another domains:
[user at system ~]# dig -x 156.198.75.147 @1.1.1.1
; <<>> DiG 9.16.21 <<>> -x 156.198.75.147 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;147.75.198.156.in-addr.arpa. IN PTR
;; ANSWER SECTION:
147.75.198.156.in-addr.arpa. 86400 IN PTR host-156.198.147.75-static.tedata.net.
;; Query time: 393 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 20 19:13:19 UTC 2021
;; MSG SIZE rcvd: 107
In this example, both tedata.net and freedesktop.org are in the nftset list for
dnsmasq (list abbreviated, actual list does not include '...'):
nftset=/.../freedesktop.org/tedata.net/.../inet#filter#allowed_addresses
Generally nftset does work for other domains where a PTR is not involved, the
IPs for domains that are resolved through dnsmasq end up in the nftables set as
expected. I'm hoping someone has some guidance on how to debug this further,
thanks!
-Clayton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20211020/6949442e/attachment.sig>
More information about the Dnsmasq-discuss
mailing list