search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

DNS based policies do not work with CNAMEs #135

Closed mreiger closed 1 year ago

mreiger commented 1 year ago

Currently DNS based CWNPs do not work with FQDNs that point to CNAMEs because anything other than A or AAAA records are ignored in the DNS caching.

Take the following DNS anwer example:

host1.example.com.       600     IN      CNAME   host2.example2.com.
host2.example2.com.      60      IN      A       198.51.100.1

When creating a CWNP for this:

spec:
  egress:
  - toFQDNs:
    - matchName: host1.example.com
    ports:
    - protocol: TCP
      port: 80

the connection fails unless host2.example2.com is also added to the toFQDNs statement.

I think this is surprising to the user because host1.example.com does resolve to an IP address, yet the CWNP does not match. Since we base the CWNPs on DNS I think we should handle redirection through CNAME (and DNAME) records. (Application layer redirects are another matter.)

I wonder if this could be handled by following the [C|D]NAME redirection when processing the DNS reply in https://github.com/metal-stack/firewall-controller/blob/72f34ece31391e3f7618bd7e43543684d11d599d/pkg/dns/dnscache.go#L286 and update the cache entry for the original FQDN (in our example host1.example.com) with the IP addresses after [C|D]NAME redirection (in our example 198.51.100.1).

Any thoughts; should I try and see if I can implement this?

Gerrit91 commented 1 year ago

/cc @GrigoriyMikhalkin