[Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?

Thu May 11 17:18:36 UTC 2023

The use case I'm defending against have been recent reports of standard looking domains with Greek or Cyrillic characters that appear like very similar to their Western alphabet counterparts: CitiBank.com vs. CitiB(Greek alpha)nk.com, (I don’t think this comes through the mailing list) CitiBank.com vs. CitiBαnk.com.

I click on the link and maybe behind the page, the browser translates it to something else, but all I see is what looks like my Bank’s URL until it’s too late.

https://www.whois.com/whois/citibank.com

https://www.whois.com/whois/citib%CE%B1nk.com

BTW, that last domain is available!

If once a year that means I can’t download the driver for my LILYGO T-SIM7000G without special effort… s’be’it. That would be a purposeful measured action. I know it’s narrow minded and everything, for my personal/household daily surfing, I’m just not interested in IDN (https://newgtlds.icann.org/en/about/idns). 

Given that the risks are real, I’m back in the white-bread ‘murica only Internet where a URI/URL was

  “A URI is composed from a limited set of characters consisting of

   digits, letters, and a few graphic symbols.  A reserved subset of

   those characters may be used to delimit syntax components within a

   URI while the remaining characters, including both the unreserved set

   and those reserved characters not acting as delimiters, define each

   component's identifying data.” (RFC3986, RFC3305 or even earlier)

Specific answers to your ?s: “Burton, the feature you are asking for would be blocking IDNA domains?” YES

As for your scale question, my firewall is a disgustingly beefy 65W i5-8400 (Coffee Lake) with 6 cores and 24Gb of RAM. Load average is 0.00. Free memory is 22.9GiB. I upgraded packages this morning and dnsmasq has used 7 seconds of CPU in 5 hours.

(What can I say? It was the cheap box that week at MicroCenter when I went shopping – in my hands NOW instead of waiting two weeks for box half as capable to save $100??) (Could I run it as a VM on my ESXi box? Sure – I used to do that before I decided to use a real NIC for the firewall instead of a USB “gigabit” ethernet adapter) (But where is the fun in THAT?)

-----Burton

-----Original Message-----
From: Dominik Derigs <dl6er at dl6er.de> 
Sent: Thursday, May 11, 2023 11:40 AM
To: Petr Menšík <pemensik at redhat.com>; dnsmasq-discuss at lists.thekelleys.org.uk; B at us <burton at burtonstrauss.us>
Subject: Re: [Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?

Hey Burton and Petr,

On Wed, 2023-05-10 at 21:12 -0500, B at us wrote:

> domains that don’t match \.[A-Za-z0-9]\.

You'd probably want to allow for - and _ too but Petr has the better idea how to achieve this:

On Thu, 2023-05-11 at 17:56 +0200, Petr Menšík wrote:

> reject all IDN names, which start with xn-- prefix

Even when truly non-ASCII domains would be possible (dig äöü), none of the larger registrars allow registering such domains directly and will always Punycode translation of the Unicode representation of the language-specific alphabet.

Burton, the feature you are asking for would be blocking IDNA domains?

Petr, I concur that this should be handled at a larger scale, however, I do also think it'd be okay to have such a feature when the administrator of a local dnsmasq says that international domains aren't something that will happen at their place and wants some extra protection against such letter confusion "attacks".

Best

Dominik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230511/c4f38382/attachment-0001.htm>