search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.58k stars 473 forks source link

Domain routes allow access to any server behind a routing peer #2419

Open sjansen1 opened 1 month ago

sjansen1 commented 1 month ago

Describe the problem

I come from the tailscale world (private use) and i am interesting for the use of Netbird for the company i am working for. I do a small poc with Netbird to test all capatbility and features.

Today i ran some tests with domain routes and found that it is a bit strange for the client to decide what the right ip is, its different in tailscale where the subnet gateway does this job.

So i put the fqdn of an existing domain route in my windows hosts file but with an ip of another server that is behind my routing peer (for this domain route), and voila, netbird routes in windows netbird client show the new ip i placed in my hosts file and to my surprise, i can reach this ip trough the peer that is setup for the domain route.

For me, this make domain routes dangerous to use, it would be better to do it the tailscale way, the gateway peer does the resolving and allow traffic to come in just for this ip, tailscale just created dynamic routes for the routing peer.

I dont know if this is by design, a bug or security thing.

To Reproduce

Steps to reproduce the behavior:

  1. Setup a domain route
  2. Select a peer for routing
  3. Edit hosts file and place a different ip that is not supposed to be the right server for fqdn in the domain route
  4. The ip in host file is now reachable over the routing peer

Expected behavior

For example, i just want to make a webapp available via a domain route for certain users, i want to be sure only that server is available. The routing peer should do the resolving, create dynamic routes and should only allow me to access these ips/servers.

Are you using NetBird Cloud?

I use Netbird Cloud

NetBird version

0.28.7

NetBird status -dA output:

mysubnetgateway.netbird.cloud: NetBird IP: 100.71.60.220 Public key: xxx Status: Connected -- detail -- Connection type: P2P Direct: true ICE candidate (Local/Remote): host/prflx ICE candidate endpoints (Local/Remote): 127.0.0.1:56620/198.51.100.2:51995 Last connection update: 20 minutes, 59 seconds ago Last WireGuard handshake: 8 seconds ago Transfer status (received/sent) 1.4 KiB/3.9 KiB Quantum resistance: false Routes: x.x.x.x/32, x.x.x.x/32, xxx.x.anon-XQeZQ.domain Latency: 14.4775ms

OS: windows/amd64 Daemon version: 0.28.7 CLI version: 0.28.7 Management: Connected to https://api.netbird.io:443 Signal: Connected to https://signal.netbird.io:443 Relays: [stun:stun.netbird.io:5555] is Available [turns:turn.netbird.io:443?transport=tcp] is Available Nameservers: [x.x.x.x:53, x.x.x.x:53] for [XXX.anon-XQeZQ.domain, anon-86srl.domain] is Available FQDN: myclientmachine.netbird.cloud NetBird IP: 100.71.34.104/16 Interface type: Userspace Quantum resistance: false Routes: - Peers count: 1/6 Connected

Do you face any client issues on desktop?

No

Screenshots

No

Additional context

Add any other context about the problem here.

mlsmaycon commented 1 month ago

Thanks for reporting the problem. We will discuss the best approach to avoid the issue and give you feedback as soon as possible.