mrtc0
commented
2 years ago DNS Proxy Server added to bouheki at https://github.com/mrtc0/bouheki/pull/24. The use of a DNS proxy server should not be affected by this type of TOCTOU.
Closed mrtc0 closed 2 years ago
mrtc0
commented
2 years ago DNS Proxy Server added to bouheki at https://github.com/mrtc0/bouheki/pull/24. The use of a DNS proxy server should not be affected by this type of TOCTOU.
The current implementation performs domain name resolution periodically. There is a problem with this implementation: if the TTL is shorter than the cycle for name resolution, the restriction will not work correctly.
Examples of domain names with short TTL are
github.com.ands3-ap-northeast-1-w.amazonaws.com..For example, if you include these domains in your deny list, depending on the timing of name resolution, communication may be allowed, bypassing the restriction.
I have considered several implementations to solve this issue.
1. TTL value-based name resolution
We have considered name resolution at the time the TTL reaches 0, but this is not a fundamental solution. It can still be bypassed depending on timing.
2. DNS Proxy
Stop systemd-resolved, etc. and prepare another DNS Proxy instead. This may work well, but it is not smart to change the host's DNS settings... Incidentally, it is also possible to create a plugin for NSS, but since not all programs depend on glibc, we will not adopt this approach.
3. eBPF
It is possible if you can successfully parse the name resolution request and response within the eBPF program, but I need to investigate if this is possible. And the same may be achieved with XDP.