aojea / kube-netpol

Apache License 2.0
8 stars 2 forks source link

[WIP] Process DNS #20

Closed aojea closed 7 months ago

aojea commented 7 months ago

This should be relatively easy to implement, there are few things we need to consider about the scalability of the proposal and to not explode the caches entries.

However, I see most implementations use the heuristic of translating DNS records to IP and block on IPs, that has serious scalability problems and/or race problems specially if you populate this cache from a different resolver.

Cilium solves the problem by intercepting the DNS records and populating the cache https://github.com/cilium/cilium/blob/79029db115743b9884a06e1acf0067140d8a33fe/pkg/fqdn/doc.go

This require to store the source IP of the request , the destination dnsname and the IPs of the answers.

However, since we are already intercepting, I prefer to use the method used by the products that offer these kind of services OpenDNS, Norton DNS, Comodo DNS, OpenDNS is now Cisco Umbrella, and just reply with a record to a well known blackhole IP so no need to store IP addresses.

It implies we have to generate or rewrite the packets with DNS responses, but with nfqueue is simple ...

or we just drop the dns request and let the app dealing with the dns request timeout