| Message ID | 6972e22e-fb8f-772d-42f0-a7fb0e5cbe3f@ipfire.org |
|---|---|
| State | Dropped |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 46jNLc3Cnzz3yqH for <patchwork@web04.haj.ipfire.org>; Tue, 1 Oct 2019 15:22:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 46jNLZ3pvVz1jb; Tue, 1 Oct 2019 15:22:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 46jNLZ2DCvz2ydP; Tue, 1 Oct 2019 15:22:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46jNLY2kZlz2yPM for <development@lists.ipfire.org>; Tue, 1 Oct 2019 15:22:45 +0000 (UTC) Received: from [127.0.0.1] (fight-for-privacy.fsociety.ltd [51.15.1.221]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46jNLX2Vpqz1jb for <development@lists.ipfire.org>; Tue, 1 Oct 2019 15:22:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1569943364; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1qPtP9ki09nudoeiFtCviJQNDlTFvN66+pFjgQK+8yE=; b=IEkFkLRfwoNz6rfcPNiG6eWTTMBnd6uz3sfDGe9bU8MIHVqCpJi0OIwgJz+6gkKKGD+F0O ZhyO/rT+ANGJtuBUZR/S0ZA1bDCiSpGaSn2rAQ53uBDtXNjL7SSrvQYdC2JjNNiGcgO1G1 KgtIA7a5mvcD92uIHr3wQsbDCSWayRYUZBoG5Xeb4e8XmAUPiELL/JIj8nQkMLc0c8Z0AC eE3lxhP+tljnH6QExmiSWRXY8PIy2E6TxPH1al+UgBL2/kbQ5uMo7xxvTzco8yghd+eDIK KicQQhDPIi4tUHACOaMTEVD0k1UsVIIqycXCRgRTU6OAa/aV9sUznCL+kCoGvQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1569943364; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1qPtP9ki09nudoeiFtCviJQNDlTFvN66+pFjgQK+8yE=; b=oapwlP4+OOfcbSTWY7DjHZLEbbrh2qTpgmEkWzcOeRgDqyHJHRT4P7L/JcG4iHdLx3tl08 XAXMFRqIe+rY1RBQ== Subject: [PATCH v2] firewall: always allow outgoing DNS traffic to root servers To: "IPFire: Development-List" <development@lists.ipfire.org> References: <a7933368-6423-d028-baeb-d34c53119d5d@ipfire.org> <F5F3F7B9-DD73-4EDF-8DB7-6E23E5CDBE0B@ipfire.org> <2d3b09958a8dfd23b0f0e3c627cad2c9d77b399c.camel@ipfire.org> <0E5C64A5-D1E7-4FC3-9689-D4A09FF2EB98@ipfire.org> <0975f95c-0d5b-74ea-f3a8-0741340bb375@ipfire.org> <d50c3626b3d4cc1552807e963d2acc168a37b2db.camel@ipfire.org> From: peter.mueller@ipfire.org Message-ID: <6972e22e-fb8f-772d-42f0-a7fb0e5cbe3f@ipfire.org> Date: Tue, 01 Oct 2019 15:22:00 +0000 MIME-Version: 1.0 In-Reply-To: <d50c3626b3d4cc1552807e963d2acc168a37b2db.camel@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[v2] firewall: always allow outgoing DNS traffic to root servers
|
|
Commit Message
Peter Müller
Oct. 1, 2019, 3:22 p.m. UTC
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.
Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.
There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.
The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.
Fixes #12183
Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/core/137/filelists/files | 1 +
src/initscripts/system/firewall | 12 ++++++++++++
2 files changed, 13 insertions(+)
Comments
Acked-by: Michael Tremer <michael.tremer@ipfire.org> > On 1 Oct 2019, at 16:22, peter.mueller@ipfire.org wrote: > > Allowing outgoing DNS traffic (destination port 53, both TCP > and UDP) to the root servers is BCP for some reasons. First, > RFC 5011 assumes resolvers are able to fetch new trust ancors > from the root servers for a certain time period in order to > do key rollovers. > > Second, Unbound shows some side effects if it cannot do trust > anchor signaling (see RFC 8145) or fetch the current trust anchor, > resulting in SERVFAILs for arbitrary requests a few minutes. > > There is little security implication of allowing DNS traffic > to the root servers: An attacker might abuse this for exfiltrating > data via DNS queries, but is unable to infiltrate data unless > he gains control over at least one root server instance. If > there is no firewall ruleset in place which prohibits any other > DNS traffic than to chosen DNS servers, this patch will not > have security implications at all. > > The second version of this patch does not use unnecessary xargs- > call nor changes anything else not related to this issue. > > Fixes #12183 > > Cc: Michael Tremer <michael.tremer@ipfire.org> > Suggested-by: Horace Michael <horace.michael@gmx.com> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/core/137/filelists/files | 1 + > src/initscripts/system/firewall | 12 ++++++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files > index ce4e51768..a02840d12 100644 > --- a/config/rootfiles/core/137/filelists/files > +++ b/config/rootfiles/core/137/filelists/files > @@ -1,4 +1,5 @@ > etc/system-release > etc/issue > +etc/rc.d/init.d/firewall > srv/web/ipfire/cgi-bin/credits.cgi > var/ipfire/langs > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index ec396c708..602bd6c5b 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -6,6 +6,7 @@ > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > +ROOTHINTS="/etc/unbound/root.hints" > IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` > > if [ -f /var/ipfire/red/device ]; then > @@ -307,6 +308,17 @@ iptables_init() { > iptables -A INPUT -j TOR_INPUT > iptables -N TOR_OUTPUT > iptables -A OUTPUT -j TOR_OUTPUT > + > + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers > + local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" > + ipset -N root-servers iphash > + > + for ip in "${rootserverips[@]}"; do > + ipset add root-servers $ip > + done > + > + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT > + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT > > # Jump into the actual firewall ruleset. > iptables -N INPUTFW > -- > 2.16.4
this Code will not work: > + for ip in "${rootserverips[@]}"; do > + ipset add root-servers $ip > + done it call ipset add ip1 ip2 ip3 ... because the doublequotes. And if i fix this /etc/init.d/firewall restart complains because the ipset was not cleaned up before! Arne Am 2019-10-01 17:22, schrieb peter.mueller@ipfire.org: > Allowing outgoing DNS traffic (destination port 53, both TCP > and UDP) to the root servers is BCP for some reasons. First, > RFC 5011 assumes resolvers are able to fetch new trust ancors > from the root servers for a certain time period in order to > do key rollovers. > > Second, Unbound shows some side effects if it cannot do trust > anchor signaling (see RFC 8145) or fetch the current trust anchor, > resulting in SERVFAILs for arbitrary requests a few minutes. > > There is little security implication of allowing DNS traffic > to the root servers: An attacker might abuse this for exfiltrating > data via DNS queries, but is unable to infiltrate data unless > he gains control over at least one root server instance. If > there is no firewall ruleset in place which prohibits any other > DNS traffic than to chosen DNS servers, this patch will not > have security implications at all. > > The second version of this patch does not use unnecessary xargs- > call nor changes anything else not related to this issue. > > Fixes #12183 > > Cc: Michael Tremer <michael.tremer@ipfire.org> > Suggested-by: Horace Michael <horace.michael@gmx.com> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/core/137/filelists/files | 1 + > src/initscripts/system/firewall | 12 ++++++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/config/rootfiles/core/137/filelists/files > b/config/rootfiles/core/137/filelists/files > index ce4e51768..a02840d12 100644 > --- a/config/rootfiles/core/137/filelists/files > +++ b/config/rootfiles/core/137/filelists/files > @@ -1,4 +1,5 @@ > etc/system-release > etc/issue > +etc/rc.d/init.d/firewall > srv/web/ipfire/cgi-bin/credits.cgi > var/ipfire/langs > diff --git a/src/initscripts/system/firewall > b/src/initscripts/system/firewall > index ec396c708..602bd6c5b 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -6,6 +6,7 @@ > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > +ROOTHINTS="/etc/unbound/root.hints" > IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d > '\012'` > > if [ -f /var/ipfire/red/device ]; then > @@ -307,6 +308,17 @@ iptables_init() { > iptables -A INPUT -j TOR_INPUT > iptables -N TOR_OUTPUT > iptables -A OUTPUT -j TOR_OUTPUT > + > + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers > + local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" > + ipset -N root-servers iphash > + > + for ip in "${rootserverips[@]}"; do > + ipset add root-servers $ip > + done > + > + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp > --dport 53 -j ACCEPT > + iptables -A OUTPUT -m set --match-set root-servers dst -p udp > --dport 53 -j ACCEPT > > # Jump into the actual firewall ruleset. > iptables -N INPUTFW
I have also found another problem. This patch is useless because you need the rootserver only in recursor mode but in recursor mode you need access to all dns servers of the domain ownwers. So allowing only the rootservers is useless because you still cannot resolve domains. Arne Am 2019-10-18 09:08, schrieb Arne Fitzenreiter: > this Code will not work: >> + for ip in "${rootserverips[@]}"; do >> + ipset add root-servers $ip >> + done > > it call > ipset add ip1 ip2 ip3 ... > because the doublequotes. > > And if i fix this > /etc/init.d/firewall restart > complains because the ipset was not cleaned up before! > > Arne > > > > Am 2019-10-01 17:22, schrieb peter.mueller@ipfire.org: >> Allowing outgoing DNS traffic (destination port 53, both TCP >> and UDP) to the root servers is BCP for some reasons. First, >> RFC 5011 assumes resolvers are able to fetch new trust ancors >> from the root servers for a certain time period in order to >> do key rollovers. >> >> Second, Unbound shows some side effects if it cannot do trust >> anchor signaling (see RFC 8145) or fetch the current trust anchor, >> resulting in SERVFAILs for arbitrary requests a few minutes. >> >> There is little security implication of allowing DNS traffic >> to the root servers: An attacker might abuse this for exfiltrating >> data via DNS queries, but is unable to infiltrate data unless >> he gains control over at least one root server instance. If >> there is no firewall ruleset in place which prohibits any other >> DNS traffic than to chosen DNS servers, this patch will not >> have security implications at all. >> >> The second version of this patch does not use unnecessary xargs- >> call nor changes anything else not related to this issue. >> >> Fixes #12183 >> >> Cc: Michael Tremer <michael.tremer@ipfire.org> >> Suggested-by: Horace Michael <horace.michael@gmx.com> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/rootfiles/core/137/filelists/files | 1 + >> src/initscripts/system/firewall | 12 ++++++++++++ >> 2 files changed, 13 insertions(+) >> >> diff --git a/config/rootfiles/core/137/filelists/files >> b/config/rootfiles/core/137/filelists/files >> index ce4e51768..a02840d12 100644 >> --- a/config/rootfiles/core/137/filelists/files >> +++ b/config/rootfiles/core/137/filelists/files >> @@ -1,4 +1,5 @@ >> etc/system-release >> etc/issue >> +etc/rc.d/init.d/firewall >> srv/web/ipfire/cgi-bin/credits.cgi >> var/ipfire/langs >> diff --git a/src/initscripts/system/firewall >> b/src/initscripts/system/firewall >> index ec396c708..602bd6c5b 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -6,6 +6,7 @@ >> eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) >> eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) >> eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> +ROOTHINTS="/etc/unbound/root.hints" >> IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d >> '\012'` >> >> if [ -f /var/ipfire/red/device ]; then >> @@ -307,6 +308,17 @@ iptables_init() { >> iptables -A INPUT -j TOR_INPUT >> iptables -N TOR_OUTPUT >> iptables -A OUTPUT -j TOR_OUTPUT >> + >> + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers >> + local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" >> + ipset -N root-servers iphash >> + >> + for ip in "${rootserverips[@]}"; do >> + ipset add root-servers $ip >> + done >> + >> + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp >> --dport 53 -j ACCEPT >> + iptables -A OUTPUT -m set --match-set root-servers dst -p udp >> --dport 53 -j ACCEPT >> >> # Jump into the actual firewall ruleset. >> iptables -N INPUTFW
diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files index ce4e51768..a02840d12 100644 --- a/config/rootfiles/core/137/filelists/files +++ b/config/rootfiles/core/137/filelists/files @@ -1,4 +1,5 @@ etc/system-release etc/issue +etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/credits.cgi var/ipfire/langs diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708..602bd6c5b 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -6,6 +6,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +ROOTHINTS="/etc/unbound/root.hints" IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` if [ -f /var/ipfire/red/device ]; then @@ -307,6 +308,17 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT + + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers + local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" + ipset -N root-servers iphash + + for ip in "${rootserverips[@]}"; do + ipset add root-servers $ip + done + + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT # Jump into the actual firewall ruleset. iptables -N INPUTFW