[DNSfirewalls] rpz firewall + whitelisting

Paul Vixie paul at redbarn.org
Wed Aug 28 14:31:49 UTC 2019 

On Wednesday, 28 August 2019 07:00:35 UTC Lee wrote:
> On 8/27/19, Paul Vixie <paul at redbarn.org> wrote:
> > it's tricky stuff. i hope you have at least read the draft (-04) though.
> 
> I looked at draft-vixie-dnsop-dns-rpz-00, but I doubt I understood
> even half of it.
> 
> Could you point out where in either draft it documents the
> non-intuitive behavior one gets by configuring an rpz zone with
> *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

since the wildcard applies to nonexistent names, the existing names with no 
content (empty non terminals) are implicitly passed through above. these are:

2o7.net
112.2o7.net
102.112.2o7.net
com.102.112.2o7.net

this means they exist but have no records. a DNS query for those names would 
produce RCODE=0 ANCOUNT=0 (name exists but has no records.) RPZ will only move 
to the next policy zone in the subscription list if the name does not exist -- 
that is, if the response to a query about it would be RCODE=3 (NXDOMAIN).

this in turn means that an empty name (which in DNS can only be nonterminal) 
has the same meaning as CNAME rpz-passthru., because it stops the search for 
this names in subsequent policy zones (if any) but is a trigger w/o an action. 
it is merely coincidental that your CNAME rpz-passthru. action produces the 
same result (stops the search of policy zones with no RPZ action) as empty 
nodes would produce. the wildcard is only important to your story because the 
action it describes is not being triggered for the interstitial (empty 
nonterminal) names.

so if your above-quoted construct is present in RPZ A, which appears in the 
configured RPZ subscription list before RPZ B, and RPZ B has a rule for 
112.2o7.net (one of the interstitial names), that rule in RPZ B will never be 
tested, and will therefore never trigger an action, even though the empty 
nonterminals from RPZ A do not, upon analyizing its content, have any obvious 
rules for this name.

we could institute a change whereby a match on an empty nonterminal name has 
the same effect (search for a wildcard; consider moving on to the next policy 
zone) as a nonexistent name would have. indeed, treating empty nonterminal the 
same as NXDOMAIN is what some older authority name servers worked, but, it is 
not the way we interpreted this pattern when deciding how DNSSEC would work, 
and i am loathe to deviate in this subtle way from normal DNS search 
semantics... especially because i can imagine an RPZ B (referencing the above 
walkthrough) which has a bad (broken; destructive) rule that is not being hit 
today because of some (implicit) empty nonterminal in RPZ A. (don't want.)

> >> > this expansion
> >> > should be done by the rpz generator or by some preprocessor you'd write
> >> > in python or perl or whatever.
> >> 
> >> Yeah, I totally get that.
> >> But me having to write a preprocessor + not really understanding rpz
> >> zones changes running a dns firewall from an interesting project to
> >> holding a loaded shotgun aimed at my foot :(

it will be a time thief, no question. however, i think this learning will have 
more benefit than cost. (noting, i almost always see learning that way.)

> > would it help if i crafted a perl script that did this preprocessing for
> > you?
> 
> Thanks for the offer, but I'll learn a lot more if I do it myself.
> And doing it myself will force me to go step-by-step instead of trying
> to jump directly to what I think the desired end state is.

i think the BIND9 native, and the FastRPZ, implementations of the RPZ spec 
could easily be changed to log warnings about empty non-terminals. and that to 
avoid these warnings (or rather, to avoid this condition), an RPZ generator 
would iteratively generate a "trigger action" rule for an owner name and 
label-strip.

owner = translate(trigger)
while !empty(owner) {
  generate(owner, action)
  label_strip(owner, left)
}

where translate() is how you're mapping from your desired trigger to the RPZ 
encoding as an RR owner name, and generate() is one or two RR's, one for the 
generated owner itself, and possibly a second one as a wildcard subdomain of 
that generated owner.

if any of this seems counterfactual or confusing, let's keep talking.

with this zone content (in vix.su, but's incidental to the story):

> deep.space.nine CNAME   this.is.deep.space.nine.
> *.nine          CNAME   this.is.wildcard.nine.

the result of a lookup is directly instructive as to the applicability of 
wildcards:

> $ dig @ns.lah1.vix.su space.nine.vix.su. cname | egrep '(status|ANSWER):'
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61298
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

again i want to stress that it's the presence of empty nonterminals, and their 
outcome being the same as CNAME rpz-passthru, that creates the problem. the 
wildcard is only important to your story because it's not being seen.

-- 
Paul

More information about the DNSfirewalls mailing list