[Dnsmasq-discuss] Restrict DNS reply to specific clients

Discussion:

Guy Wijnants

2016-02-03 09:30:02 UTC

Hi all,

I have a DNS server that is master for some public domains. We also have
clients that use the DNS server as their lookup server.
For security issues we use dnsmasq to redirect some sites to a webpage
that indicates that the site is not accepted.
I have setted the dnsmasq before the named service. But this means that
all internet clients can use our DNS server to query requests which is
not good. I want to restrict the possible query requests to only our
client networks.
I had a filter setted up under the named service:
allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };
Dnsmasq uses the port 53 and if no match is made on the blocked list he
forwards it to himself on port 5353 where the named.service runs. The
named service sees the request as coming from localhost and does the
recursion.
I am sorry if this is unclear, I am not so familiar with dns or dnsmasq.
If its not clear please says so and I will try to be more detailed.
Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64
Thanks all in advance

Best Regards,

Guy Wijnants

Albert ARIBAUD

2016-02-03 10:51:52 UTC

Permalink

Hi Guy,

Le Wed, 3 Feb 2016 10:30:02 +0100

Post by Guy Wijnants
Hi all,
I have a DNS server that is master for some public domains. We also
have clients that use the DNS server as their lookup server.
For security issues we use dnsmasq to redirect some sites to a webpage
that indicates that the site is not accepted.
I have setted the dnsmasq before the named service. But this means
that all internet clients can use our DNS server to query requests
which is not good. I want to restrict the possible query requests to
only our client networks.
allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };
Dnsmasq uses the port 53 and if no match is made on the blocked list
he forwards it to himself on port 5353 where the named.service runs.
The named service sees the request as coming from localhost and does
the recursion.
I am sorry if this is unclear, I am not so familiar with dns or
dnsmasq. If its not clear please says so and I will try to be more
detailed. Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64
Thanks all in advance

I am not sure I understand either your need or the actual situation,
but I gather the issue is "some requests are servers which should not
have".

Can you provide detailed scenarios, both for use case which work as you
intend and for use cases which do not work as you intend? For each
scenario, please describe where the request originates, which server it
passes through, and (for failure scenarios) whether it should not have.

Post by Guy Wijnants
Best Regards,
Guy Wijnants

Amicalement,

--
Albert.

Guy Wijnants

2016-02-03 11:24:26 UTC

Permalink

Hi Albert,

Thank you for the quick response.
You can compare our DNS server as kind of an ISP DNS server in the way that it hosts public domains and acts as DNS resolver for our clients.
If I enable dnsmasq all queries are passed to dnsmasq to check whether the domain needs to be blocked, if it does not need to be blocked dnsmasq will pass the query through to the named service which further handles the query.
But dnsmasq does not have something like the allow option to limit the hosts that can query the server.

Situation now:
Everyone can set our DNS server as their primary DNS server as dnsmasq does not filter to who can query the DNS server. In the named service you have the option to filter who can query the DNS server (allow-recursion function).
But because our dnsmasq speaks to the named service using its own ip, the named service always allow the query and no filtering is done whatsoever.
Example:
Our server is master of the public domain www.iammaster.com
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS server. You query www.google.com and our server WILL respond with the corresponding IP. You query www.iammaster.com and our server WILL respond with the corresponding IP.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS server and query www.google.com and our server WILL respond with the corresponding IP.

Situation I need:
People from the internet cannot set our DNS server as their primary DNS, our clients with network for example 192.168.0.0/24 can query our DNS server.
Our DNS server ofcourse still responds to the query for public domains where it is master from.
Example
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS server. You query www.google.com and our server WILL NOT respond as you are not allowed to query our server.
You set a different DNS server as your primary DNS (8.8.8.8 for example) and you query www.iammaster.com and our server WILL respond with the corresponding IP for this domain.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS server and query www.google.com and our server WILL respond with the corresponding IP. Our clients query www.iammaster.com and our server WILL respond with the corresponding IP for this domain.

Configuration now:
Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be resolved dnsmasq passes the request to 193.0.0.1:5353 (where our named service listens on).
The 'allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or localhost) as source address (and not the originating source ip of the requestor) for the query.

Thanks in advance for your support!

Best regards,

Guy

-----Original Message-----
From: Albert ARIBAUD [mailto:***@free.fr]
Sent: woensdag 3 februari 2016 11:52
To: Guy Wijnants
Cc: dnsmasq-***@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients

Hi Guy,

Le Wed, 3 Feb 2016 10:30:02 +0100

Post by Guy Wijnants
Hi all,
I have a DNS server that is master for some public domains. We also
have clients that use the DNS server as their lookup server.
For security issues we use dnsmasq to redirect some sites to a webpage
that indicates that the site is not accepted.
I have setted the dnsmasq before the named service. But this means
that all internet clients can use our DNS server to query requests
which is not good. I want to restrict the possible query requests to
only our client networks.
allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; }; Dnsmasq uses
the port 53 and if no match is made on the blocked list he forwards it
to himself on port 5353 where the named.service runs.
The named service sees the request as coming from localhost and does
the recursion.
I am sorry if this is unclear, I am not so familiar with dns or
dnsmasq. If its not clear please says so and I will try to be more
detailed. Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64 Thanks all in
advance

I am not sure I understand either your need or the actual situation, but I gather the issue is "some requests are servers which should not have".

Can you provide detailed scenarios, both for use case which work as you intend and for use cases which do not work as you intend? For each scenario, please describe where the request originates, which server it passes through, and (for failure scenarios) whether it should not have.

Post by Guy Wijnants
Best Regards,
Guy Wijnants

Amicalement,

--
Albert.

Albert ARIBAUD

2016-02-03 11:50:47 UTC

Permalink

Hi again Guy,

Le Wed, 3 Feb 2016 12:24:26 +0100

Post by Guy Wijnants
Hi Albert,
Thank you for the quick response.
You can compare our DNS server as kind of an ISP DNS server in the
way that it hosts public domains and acts as DNS resolver for our
clients. If I enable dnsmasq all queries are passed to dnsmasq to
check whether the domain needs to be blocked, if it does not need to
be blocked dnsmasq will pass the query through to the named service
which further handles the query. But dnsmasq does not have something
like the allow option to limit the hosts that can query the server.
Everyone can set our DNS server as their primary DNS server as
dnsmasq does not filter to who can query the DNS server. In the named
service you have the option to filter who can query the DNS server
(allow-recursion function). But because our dnsmasq speaks to the
named service using its own ip, the named service always allow the
query and no filtering is done whatsoever. Example: Our server is
master of the public domain www.iammaster.com You at home set our DNS
(we give it ip 193.0.0.1) server as its primary DNS server. You query
www.google.com and our server WILL respond with the corresponding IP.
You query www.iammaster.com and our server WILL respond with the
corresponding IP. Our clients (in network 192.168.0.0/24) sets our
server as its primary DNS server and query www.google.com and our
server WILL respond with the corresponding IP.
People from the internet cannot set our DNS server as their primary
DNS, our clients with network for example 192.168.0.0/24 can query
our DNS server. Our DNS server ofcourse still responds to the query
for public domains where it is master from. Example You at home set
our DNS (we give it ip 193.0.0.1) server as its primary DNS server.
You query www.google.com and our server WILL NOT respond as you are
not allowed to query our server. You set a different DNS server as
your primary DNS (8.8.8.8 for example) and you query
www.iammaster.com and our server WILL respond with the corresponding
IP for this domain. Our clients (in network 192.168.0.0/24) sets our
server as its primary DNS server and query www.google.com and our
server WILL respond with the corresponding IP. Our clients query
www.iammaster.com and our server WILL respond with the corresponding
IP for this domain.
Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be
resolved dnsmasq passes the request to 193.0.0.1:5353 (where our
named service listens on). The 'allow-recursion { localhost;
x.x.x.x/24; y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or
localhost) as source address (and not the originating source ip of
the requestor) for the query.
Thanks in advance for your support!

IIUC, what you want is two different things:

- a general name server for your internal network users to use, either
by hard-coding it in their /etc/resolv.conf or through a DHCP option.
This server needs at least one recursive-able server as its upstream,
and only needs to be accessed from inside your network;

- an authoritative name server for some domains, for external use
through the NS entry in these domains' zone files. That server does
not need any upstream, and only needs to be accessed from outside
your network.

Ideally these two services should be run by two different dnsmasq
instances, the general one inside your LAN and the authoritative one
facing outside; this would ensure the authoritative instance could not
act as an open DNS and possibly as a participant in a DNS amplification
attack.

I you really need a single instance, then I suspect you run it on a
machine which has two interfaces, one with a LAN IP, one with the
public IP corresponding to the NS entries in the zone files of your
domains. In that case, --auth-server may be the option you need.

That way, outside users would be unable to reach the server through
the 'LAN' interface, and would therefore only be able to access the
authoritative [part of the] server, which would not answer to queries
other that for the domains you have set i up with.

Post by Guy Wijnants
Best regards,
Guy

Amicalement,

--
Albert.

Guy Wijnants

2016-02-03 14:00:01 UTC

Permalink

Hi Albert,

While reading your response I came to the conclusion that I forgot to mention 1 huge thing:

Using ip's from my previous examples
The DNS server is connected to a Firewall. The Firewall has the public IP (193.0.0.1) on it and NAT's DNS requests to the private ip address of the DNS server (example 10.1.1.1).
Some of our clients are behind a public IP range (as example 200.1.1.0 /24) and have the DNS servers public ip (193.0.0.1) as their primary DNS server.

This means although they are very good solution, they will not work for my setup.

Thank you for the assistance

Kind regards,

Guy

-----Original Message-----
From: Albert ARIBAUD [mailto:***@free.fr]
Sent: woensdag 3 februari 2016 12:51
To: Guy Wijnants
Cc: dnsmasq-***@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients

Hi again Guy,

Le Wed, 3 Feb 2016 12:24:26 +0100

Post by Guy Wijnants
Hi Albert,
Thank you for the quick response.
You can compare our DNS server as kind of an ISP DNS server in the way
that it hosts public domains and acts as DNS resolver for our clients.
If I enable dnsmasq all queries are passed to dnsmasq to check whether
the domain needs to be blocked, if it does not need to be blocked
dnsmasq will pass the query through to the named service which further
handles the query. But dnsmasq does not have something like the allow
option to limit the hosts that can query the server.
Everyone can set our DNS server as their primary DNS server as dnsmasq
does not filter to who can query the DNS server. In the named service
you have the option to filter who can query the DNS server
(allow-recursion function). But because our dnsmasq speaks to the
named service using its own ip, the named service always allow the
query and no filtering is done whatsoever. Example: Our server is
master of the public domain www.iammaster.com You at home set our DNS
(we give it ip 193.0.0.1) server as its primary DNS server. You query
www.google.com and our server WILL respond with the corresponding IP.
You query www.iammaster.com and our server WILL respond with the
corresponding IP. Our clients (in network 192.168.0.0/24) sets our
server as its primary DNS server and query www.google.com and our
server WILL respond with the corresponding IP.
People from the internet cannot set our DNS server as their primary
DNS, our clients with network for example 192.168.0.0/24 can query our
DNS server. Our DNS server ofcourse still responds to the query for
public domains where it is master from. Example You at home set our
DNS (we give it ip 193.0.0.1) server as its primary DNS server.
You query www.google.com and our server WILL NOT respond as you are
not allowed to query our server. You set a different DNS server as
your primary DNS (8.8.8.8 for example) and you query www.iammaster.com
and our server WILL respond with the corresponding IP for this domain.
Our clients (in network 192.168.0.0/24) sets our server as its primary
DNS server and query www.google.com and our server WILL respond with
the corresponding IP. Our clients query www.iammaster.com and our
server WILL respond with the corresponding IP for this domain.
Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be
resolved dnsmasq passes the request to 193.0.0.1:5353 (where our named
service listens on). The 'allow-recursion { localhost; x.x.x.x/24;
y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or
localhost) as source address (and not the originating source ip of the
requestor) for the query.
Thanks in advance for your support!

IIUC, what you want is two different things:

- a general name server for your internal network users to use, either
by hard-coding it in their /etc/resolv.conf or through a DHCP option.
This server needs at least one recursive-able server as its upstream,
and only needs to be accessed from inside your network;

- an authoritative name server for some domains, for external use
through the NS entry in these domains' zone files. That server does
not need any upstream, and only needs to be accessed from outside
your network.

Ideally these two services should be run by two different dnsmasq instances, the general one inside your LAN and the authoritative one facing outside; this would ensure the authoritative instance could not act as an open DNS and possibly as a participant in a DNS amplification attack.

I you really need a single instance, then I suspect you run it on a machine which has two interfaces, one with a LAN IP, one with the public IP corresponding to the NS entries in the zone files of your domains. In that case, --auth-server may be the option you need.

That way, outside users would be unable to reach the server through the 'LAN' interface, and would therefore only be able to access the authoritative [part of the] server, which would not answer to queries other that for the domains you have set i up with.

Post by Guy Wijnants
Best regards,
Guy

Amicalement,

--
Albert.

Continue reading on narkive:

Search results for '[Dnsmasq-discuss] Restrict DNS reply to specific clients' (Questions and Answers)

replies

when was the first email sent?

started 2006-07-26 04:50:59 UTC

consumer electronics

replies

can i get question answer of asp.net ?

started 2006-10-11 00:02:47 UTC