From patchwork Fri Apr 25 12:37:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8641 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZkXRb5vSWz3xDt for ; Fri, 25 Apr 2025 12:37:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZkXRX6fbVz36s for ; Fri, 25 Apr 2025 12:37:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZkXRX5vMdz335l for ; Fri, 25 Apr 2025 12:37:28 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZkXRT60d9z331x for ; Fri, 25 Apr 2025 12:37:25 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZkXRS6qZgz2sJ; Fri, 25 Apr 2025 12:37:24 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4ZkXRS4ZMxzTgMN; Fri, 25 Apr 2025 12:37:24 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Cc: Michael Tremer Subject: [RFC PATCH 2/2] Add Fast Flux detection in DNS Date: Fri, 25 Apr 2025 12:37:17 +0000 Message-Id: <20250425123717.3462310-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250425123717.3462310-1-michael.tremer@ipfire.org> References: <20250425123717.3462310-1-michael.tremer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 This has been implemented because of a request on the forum. Since the proxy is generally outgoing technology it makes sense to enable this kind of filtering in DNS. This patch adds a Python script which processes every query and its response and extracts all IP addresses from it. Those IP addresses will then be resolved to their origin AS. If there are more then THRESHOLD different ASes, the request will be blocked. The AS lookups will only be performed when there is enough IP addresses to actually hit the threshold. So there should be next to no performance impact here except the overhead of the Python module itself. Signed-off-by: Michael Tremer --- config/rootfiles/common/unbound | 1 + config/unbound/fastflux-detection.py | 167 +++++++++++++++++++++++++++ config/unbound/unbound.conf | 7 ++ doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 7 ++ html/cgi-bin/dns.cgi | 21 ++++ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/unbound | 4 + 16 files changed, 217 insertions(+) create mode 100644 config/unbound/fastflux-detection.py diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 03c956503..9ca84d2d9 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -1,6 +1,7 @@ etc/rc.d/init.d/unbound #etc/unbound etc/unbound/dhcp-leases.conf +etc/unbound/fastflux-detection.py etc/unbound/forward.conf etc/unbound/icannbundle.pem etc/unbound/local.d diff --git a/config/unbound/fastflux-detection.py b/config/unbound/fastflux-detection.py new file mode 100644 index 000000000..4ad62eed6 --- /dev/null +++ b/config/unbound/fastflux-detection.py @@ -0,0 +1,167 @@ +############################################################################### +# # +# Pakfire - The IPFire package management system # +# Copyright (C) 2025 IPFire Development Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +import datetime +import ipaddress +import location +import socket + +DEFAULT_THRESHOLD = 5 + +def read_config(path): + """ + Opens the configuration file and reads it line by line + """ + config = {} + + with open(path) as f: + for line in f: + # Remove any trailing newline + line = line.rstrip() + + # Split by key and value + key, _, val = line.partition("=") + + # Store the line + config[key] = val + + return config + +def init(id, cfg): + global db + global ENABLED + global THRESHOLD + + # Read the configuration + config = read_config("/var/ipfire/dns/settings") + + # Is this module enabled? + ENABLED = config.get("FF_DETECTION", "false") in ("on", "true", "1") + + # Fetch the treshold + if ENABLED: + threshold = config.get("FF_THRESHOLD", 5) + + try: + THRESHOLD = int(threshold) + except (TypeError, ValueError): + log_warning("Failed to parse Fast Flux threshold '%s'." + " Using default of %s" % (threshold, DEFAULT_THRESHOLD)) + THRESHOLD = DEFAULT_THRESHOLD + + # Open the location database + try: + db = location.open() + + # Fail if we could not open the database + except Exception as e: + log_error("Failed to open the location database: %s" % e) + return False + + log_info("Opened Location database") + log_info(" Database Vendor : %s" % db.vendor) + log_info(" Created At : %s" % datetime.datetime.fromtimestamp(db.created_at)) + + # Done! + log_info("FastFlux detection module loaded") + + return True + +def deinit(id): + log_info("FastFlux detection module unloaded") + return True + +def inform_super(id, qstate, superqstate, qdata): + return True + +def operate(id, event, qstate, qdata): + # Execute when everything else is done + if event == MODULE_EVENT_MODDONE: + # Do nothing if this is not enabled + if not ENABLED: + qstate.ext_state[id] = MODULE_FINISHED + return True + + # Extract the qname + qname = qstate.qinfo.qname_str + + # Deny access to the qname? + deny = False + + # Extract the response + rrset = qstate.return_msg.rep.rrsets + + addrs = set() + + # Find all IP addresses in the response + for i in range(qstate.return_msg.rep.rrset_count): + rr = rrset[i] + + # Extract the type + type = socket.ntohs(rr.rk.type) + + # Only process types A and AAAA + if type in (1, 28): + for i in range(rr.entry.data.count): + payload = rr.entry.data.rr_data[i] + + # Parse the IP address + if type == 1: + addr = ipaddress.IPv4Address(payload[2:]) + elif type == 28: + addr = ipaddress.IPv6Address(payload[2:]) + + addrs.add(addr) + + # Only perform any further action if we have at least as many as threshold IP addresses + if len(addrs) >= THRESHOLD: + asns = set() + + # Look up the networks for all addresses + for addr in addrs: + network = db.lookup("%s" % addr) + + # If no network could be found, we add zero to represent an unknown value + asns.add(network.asn if network else 0) + + # Check for selective announements + if 0 in asns: + log_info("Denying access to %s due to suspected selective announcements" % qname) + deny = True + + # Check if the threshold was exceeded + elif len(asns) >= THRESHOLD: + log_info("Denying access to %s due to suspected Fast Flux announcement" % qname) + deny = True + + # Return SERVFAIL? + # XXX It would be nice to send an extended DNS error here (e.g. BLOCKED), but it + # seems that this is currently not supported in the Python module. + if deny: + qstate.ext_state[id] = MODULE_ERROR + return True + + # Otherwise, continue + qstate.ext_state[id] = MODULE_FINISHED + return True + + # Not handling other events + qstate.ext_state[id] = MODULE_WAIT_MODULE + return True diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 012beab54..b1f2871c4 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -12,6 +12,9 @@ server: username: "nobody" do-ip6: no + # Load modules + module-config: "validator python iterator" + # System Tuning include: "/etc/unbound/tuning.conf" @@ -68,6 +71,10 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf" +python: + # Enable Fast Flux Detection + python-script: "/etc/unbound/fastflux-detection.py" + remote-control: control-enable: yes control-use-cert: no diff --git a/doc/language_issues.en b/doc/language_issues.en index 1c1c546f7..a5860a153 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -611,6 +611,7 @@ WARNING: untranslated string: dnat address = Firewall Interface WARNING: untranslated string: dns check failed = DNS check failed WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_issues.es b/doc/language_issues.es index cf7237435..2b7937842 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1015,6 +1015,7 @@ WARNING: untranslated string: ca name must only contain characters and spaces = WARNING: untranslated string: cpu frequency = CPU frequency WARNING: untranslated string: data transfer = Data Transfer WARNING: untranslated string: dhcp fixed ip address in dynamic range = Fixed IP Address in dynamic range +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: done = Done WARNING: untranslated string: downfall gather data sampling = Downfall/Gather Data Sampling diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 702911061..b9703cd4d 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -979,6 +979,7 @@ WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string WARNING: untranslated string: core notice 3 = available. WARNING: untranslated string: data transfer = Data Transfer +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: done = Done WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 3d93239af..c5297c241 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1019,6 +1019,7 @@ WARNING: untranslated string: disconnected = Disconnected WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_issues.nl b/doc/language_issues.nl index f1090fc33..7f16de518 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1019,6 +1019,7 @@ WARNING: untranslated string: disable = Disable WARNING: untranslated string: disconnected = Disconnected WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 1db36fb67..063045ef3 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -991,6 +991,7 @@ WARNING: untranslated string: dl client arch insecure = Download insecure Client WARNING: untranslated string: dnat address = Firewall Interface WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 4d29c4f95..5c85a2c40 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -986,6 +986,7 @@ WARNING: untranslated string: dl client arch insecure = Download insecure Client WARNING: untranslated string: dnat address = Firewall Interface WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 2da19f276..473250445 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -998,6 +998,7 @@ WARNING: untranslated string: disable = Disable WARNING: untranslated string: disconnected = Disconnected WARNING: untranslated string: dns check servers = Check DNS Servers WARNING: untranslated string: dns configuration = DNS Configuration +WARNING: untranslated string: dns enable fast flux detection = Fast Flux Detection WARNING: untranslated string: dns enable safe-search = Enable Safe Search WARNING: untranslated string: dns enable safe-search youtube = Include YouTube in Safe Search WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) diff --git a/doc/language_missings b/doc/language_missings index 48b98ce74..f5c0949b5 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -173,6 +173,7 @@ < cpu frequency < data transfer < dhcp fixed ip address in dynamic range +< dns enable fast flux detection < dns servers < done < downfall gather data sampling @@ -287,6 +288,7 @@ < bypassed < ca name must only contain characters or spaces < data transfer +< dns enable fast flux detection < done < endpoint < endpoint address @@ -509,6 +511,7 @@ < dns check servers < dns configuration < dns could not add server +< dns enable fast flux detection < dns enable safe-search < dns enable safe-search youtube < dns forward disable dnssec @@ -1110,6 +1113,7 @@ < dns check servers < dns configuration < dns could not add server +< dns enable fast flux detection < dns enable safe-search < dns enable safe-search youtube < dns forward disable dnssec @@ -1807,6 +1811,7 @@ < dns check servers < dns configuration < dns could not add server +< dns enable fast flux detection < dns enable safe-search < dns enable safe-search youtube < dnsforward @@ -2884,6 +2889,7 @@ < dns check servers < dns configuration < dns could not add server +< dns enable fast flux detection < dns enable safe-search < dns enable safe-search youtube < dnsforward @@ -3823,6 +3829,7 @@ < dns check servers < dns configuration < dns could not add server +< dns enable fast flux detection < dns enable safe-search < dns enable safe-search youtube < dns forward disable dnssec diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi index 0d3b14797..8cc39f97c 100644 --- a/html/cgi-bin/dns.cgi +++ b/html/cgi-bin/dns.cgi @@ -82,6 +82,11 @@ if ($cgiparams{'GENERAL'} eq $Lang::tr{'save'}) { $cgiparams{'USE_ISP_NAMESERVERS'} = "off"; } + # Add value for non-checked checkbox. + if ($cgiparams{'FF_DETECTION'} ne "on") { + $cgiparams{'FF_DETECTION'} = "off"; + } + # Add value for non-checked checkbox. if ($cgiparams{'ENABLE_SAFE_SEARCH'} ne "on") { $cgiparams{'ENABLE_SAFE_SEARCH'} = "off"; @@ -264,6 +269,7 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L # Hash to store the generic DNS settings. my %settings = (); $settings{"ENABLE_SAFE_SEARCH_YOUTUBE"} = "on"; +$settings{"FF_DETECTION"} = "on"; # Read-in general DNS settings. &General::readhash("$settings_file", \%settings); @@ -311,6 +317,10 @@ $checked{'USE_ISP_NAMESERVERS'}{'off'} = ''; $checked{'USE_ISP_NAMESERVERS'}{'on'} = ''; $checked{'USE_ISP_NAMESERVERS'}{$settings{'USE_ISP_NAMESERVERS'}} = "checked='checked'"; +$checked{'FF_DETECTION'}{'off'} = ''; +$checked{'FF_DETECTION'}{'on'} = ''; +$checked{'FF_DETECTION'}{$settings{'FF_DETECTION'}} = "checked='checked'"; + $checked{'ENABLE_SAFE_SEARCH'}{'off'} = ''; $checked{'ENABLE_SAFE_SEARCH'}{'on'} = ''; $checked{'ENABLE_SAFE_SEARCH'}{$settings{'ENABLE_SAFE_SEARCH'}} = "checked='checked'"; @@ -380,6 +390,17 @@ sub show_general_dns_configuration () { + + + $Lang::tr{'dns enable fast flux detection'} + + + + + + + + $Lang::tr{'dns enable safe-search'} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 3ce02b657..aafc180a6 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -835,6 +835,7 @@ 'dns check servers' => 'DNS-Server prüfen', 'dns configuration' => 'DNS-Konfiguration', 'dns desc' => 'Wenn auf Schnittstelle red0 die IP-Adressinformationen über DHCP vom Provider kommen, werden automatisch die DNS-Server-Adressen des Providers gesetzt. Hier können Sie nun diese mit den eigenen DNS-Server-IP-Adressen überschreiben.', +'dns enable fast flux detection' => 'Fast-Flux-Erkennung', 'dns enable safe-search' => 'Safe Search via DNS aktivieren', 'dns enable safe-search youtube' => 'YouTube in Safe Search einbeziehen', 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 3e647e6e5..fb82fcd08 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -880,6 +880,7 @@ 'dns configuration' => 'DNS Configuration', 'dns could not add server' => 'Could not add server - Reason:', 'dns desc' => 'If the red0 interface gets the IP address information via DHCP from the provider, the DNS server addresses will be set automatically. Now here you are able to change these DNS server IP addresses with your own ones.', +'dns enable fast flux detection' => 'Fast Flux Detection', 'dns enable safe-search' => 'Enable Safe Search', 'dns enable safe-search youtube' => 'Include YouTube in Safe Search', 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', diff --git a/lfs/unbound b/lfs/unbound index 8c79125ec..00105b691 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -97,6 +97,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) touch /etc/unbound/{dhcp-leases,forward}.conf -mkdir -pv /etc/unbound/local.d + # Install Python scripts + install -v -m 644 $(DIR_SRC)/config/unbound/fastflux-detection.py \ + /etc/unbound/fastflux-detection.py + # Install root hints install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \ /etc/unbound/root.hints