[Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?

Thu May 11 18:54:04 UTC 2023

Okay, I understand. I think one possible defense would be enabling 
dnssec validation. I doubt CitiBαnk.com. can be registered at any 
serious domain. I am quite sure .com domain has rules to disallow 
registering that. The reason is obvious and you are not the only one 
thinking about that. There are even more similar letters in other 
alphabets. I still think the proper place for defenses are at domain 
registrars. I doubt that name is possible to register in any common TLD, 
there would be a lot of people registering that already, just to misuse 
them. So basic protection against that is already in place. Can you name 
any real registered domain, which impersonates similar domain this way?

It seems to me more proper protection would be using some recursive 
server applying additional block lists, which would block problematic 
domains. Creating and maintaining such list is more difficult than 
rejecting all IDN domains, but should provide significantly more 
security. Sadly nothing we can implement at simple cache as is dnsmasq. 
I understand US citizens do not consider non-ASCII names important or 
even suspicious, but I doubt very much they posses significant danger to 
any your network users. I am quite sure common TLD do not allow names 
differing in just few letters, others would be suspicious right away 
even to your children.

Seriously, if you want better protection, use real kind of protection 
instead. Something like servers 1.1.1.2 or 1.0.0.2 offering serious 
protection. Visit [1], other providers often have similar alternatives. 
I think hacks like you are proposing will offer just false sense of 
"more secure" network. Attackers often upload malicious code to genuine 
domains because of unfixed security issues. Bots are searching for such 
holes all over the internet. Expectation that such attacks will come 
just from strange looking domains only is very naive.

But if you would insist, I am thinking whether some scriptable rules 
written for example in lua could be supported in dnsmasq. Something 
which could test queried name dynamically, without listing all idn 
domains as blocked explicitly. I am not sure whether regular expressions 
filter would be enough. Rejecting any name matching "\.xn--.*" or 
"xn--.*" might be able to reject name containing IDN anywhere in the 
name. I think there are more important features missing.

Just my 2 cents,
Petr

|[1] https://developers.cloudflare.com/1.1.1.1/setup/|||

On 5/11/23 19:18, burton at burtonstrauss.us wrote:
>
> The use case I'm defending against have been recent reports of 
> standard *looking* domains with Greek or Cyrillic characters that 
> appear like very similar to their Western alphabet counterparts: 
> CitiBank.com vs. CitiB(Greek alpha)nk.com, (I don’t think this comes 
> through the mailing list) CitiBank.com vs. CitiBαnk.com.
>
> I click on the link and maybe behind the page, the browser translates 
> it to something else, but all I see is what looks like my Bank’s URL 
> until it’s too late.
>
> https://www.whois.com/whois/citibank.com
>
> https://www.whois.com/whois/citib%CE%B1nk.com
>
> BTW, that last domain is available!
>
> If once a year that means I can’t download the driver for my LILYGO 
> T-SIM7000G without special effort… s’be’it. That would be a purposeful 
> measured action. I know it’s narrow minded and everything, for my 
> personal/household daily surfing, I’m just not interested in IDN 
> (https://newgtlds.icann.org/en/about/idns).
>
> Given that the risks are real, I’m back in the white-bread ‘murica 
> only Internet where a URI/URL was
>
>    “A URI is composed from a limited set of characters consisting of
>
>    digits, letters, and a few graphic symbols.  A reserved subset of
>
>    those characters may be used to delimit syntax components within a
>
>    URI while the remaining characters, including both the unreserved set
>
>    and those reserved characters not acting as delimiters, define each
>
>    component's identifying data.” (RFC3986, RFC3305 or even earlier)
>
> Specific answers to your ?s: “Burton, the feature you are asking for 
> would be blocking IDNA domains?” YES
>
> As for your scale question, my firewall is a disgustingly beefy 65W 
> i5-8400 (Coffee Lake) with 6 cores and 24Gb of RAM. Load average is 
> 0.00. Free memory is 22.9GiB. I upgraded packages this morning and 
> dnsmasq has used 7 seconds of CPU in 5 hours.
>
> (What can I say? It was the cheap box that week at MicroCenter when I 
> went shopping – in my hands NOW instead of waiting two weeks for box 
> half as capable to save $100??) (Could I run it as a VM on my ESXi 
> box? Sure – I used to do that before I decided to use a real NIC for 
> the firewall instead of a USB “gigabit” ethernet adapter) (But where 
> is the fun in THAT?)
>
> -----Burton
>
> -----Original Message-----
> From: Dominik Derigs <dl6er at dl6er.de>
> Sent: Thursday, May 11, 2023 11:40 AM
> To: Petr Menšík <pemensik at redhat.com>; 
> dnsmasq-discuss at lists.thekelleys.org.uk; B at us <burton at burtonstrauss.us>
> Subject: Re: [Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns 
> requests?
>
> Hey Burton and Petr,
>
> On Wed, 2023-05-10 at 21:12 -0500, B at us wrote:
>
> > domains that don’t match \.[A-Za-z0-9]\.
>
> You'd probably want to allow for - and _ too but Petr has the better 
> idea how to achieve this:
>
> On Thu, 2023-05-11 at 17:56 +0200, Petr Menšík wrote:
>
> > reject all IDN names, which start with xn-- prefix
>
> Even when truly non-ASCII domains would be possible (dig äöü), none of 
> the larger registrars allow registering such domains directly and will 
> always Punycode translation of the Unicode representation of the 
> language-specific alphabet.
>
> Burton, the feature you are asking for would be blocking IDNA domains?
>
> Petr, I concur that this should be handled at a larger scale, however, 
> I do also think it'd be okay to have such a feature when the 
> administrator of a local dnsmasq says that international domains 
> aren't something that will happen at their place and wants some extra 
> protection against such letter confusion "attacks".
>
> Best
>
> Dominik
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230511/56819537/attachment.htm>