unbound DNS rebind protection

📆
🏷
unbound, dns firewall, security

While working on my DNS firewalling @home I was studying unbound.conf and found what I already had forgotten, unbound's DNS rebinding protection.

DNS rebinding is a an attack where a malicious website is using your browser to resolve internal addresses (e.g. RFC1918) in order to get their hands on internal ressources like e.g. your routers admin interface. There have been attacks in the wild using that technique and I bet there still are. rebind.network is a site that actually tries to find some internal ressources on your network; the site needs javascript. Anywho and without further ado, here's the setting that I am running on my unbound – courtesy of unbound.conf(5):

private-address: 10.0.0.0/8 
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-domain: my.lan.domain

--EOF

Open Source Threat Intelligence And Makeshift RPZ with Unbound

📆
🏷
openbsd, unbound, security, osint, dns firewall, dns rpz

<span class="md_update">Update:</span> Added some remarks about what DNS RPZ actually is, what my objective is and what the outcome will be.

A friend of mine and I tried to play w/ RPZ and knot yesterday and gravely failed. The fact that knot as well as RPZ had been new to us didn't help. Discussing the failure later that night I remembered that I was already doing something similar at home for adblocking at the DNS level instead of every application on every client. In some way this is also DNS RPZ.

DNS RPZ is something that could be described as DNS firewalling and is described by wikipedia as follows:

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is “DNS firewall”.

My main objective is to block ad networks and malware sites (e.g. command and control) on the DNS level for all devices without them having to install adblockers or stuff. So if someone tries to access a blacklisted site, say domain.tld the client will get a NXDOMAIN as an answer instead of the real IP address. As I can't keep up with the domains I also want to leverage some of the OSINT feeds available. Currently I have roughly 16k domains blacklisted.

My take on a network manager

📆
🏷
openbsd, netmanager

There's one thing that I am really missing under OpenBSD, a network manager which seemlessly handles running around with my laptop. So my main itches to scratch are doing magic things at boot and resume so I don't have to bother with fiddling with hostname.if(5) ever.

My first take on tackling that problem actually was working ok'ish but depended on sqlite3 and after sqlite3 left base the solution started to annoy me everytime I moved to a current snapshot and sqlite3 stoppped working or was unavailable from within bsd.rd.

So I started to look around what other people did to get rid of those problems which led me to netctl. I like that netctl is nothing but a shell script. I dislike that it didn't work at boot time.

Open Source Threat Intelligence and pf(4)

📆
🏷
openbsd, pf, security, osint

I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:

@0 block drop log quick from <pf_osint:5346> to any
  [ Evaluations: 502       Packets: 20        Bytes: 800         States: 0     ]
  [ Inserted: uid 0 pid 68515 State Creations: 0     ]

🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I'd like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).

OpenBSD on Hyper-V Primer

📆
🏷
hyper-v, scratchpad

I am fed up with VMWAre Workstation and I'd like to check if Hyper-V is a better alternative for me. This is not a tutorial but just a primer and scratchpad note mainly for me, thus those very brief notes.

  • Enable Hyper-V
  • Add User to Group “Hyper-V Administrators”
  • Create NAT Switch (Run as Hyper-V Administrator) New-VMSwitch -Name NATSwitch -SwitchType Internal Get-NetAdapter -Name *NATSwitch*
  • Setup Network for VMs. Hypter-V does not do DHCP, it just provides a switch, which I dig. (Run as Administrator)
    • Setup IP Gateway IP Address for VMs. You need the IfIndex from the Get-NetAdapter command from above New-NetIPAddress -IPAddress 198.18.0.1 -PrefixLength 24 -InterfaceIndex 42
    • Now setup NAT New-NetNat -Name HyperVNAT -InternalIPInterfaceAddressPrefix 198.18.0.0/24

We can setup our VM now: New-VM -Name "obsd test" -MemoryStartupBytes 1GB -Generation 1 -BootDevice CD -SwitchName NATSwitch -NewVHDPath 'C:\path\to\vmstorage\obsd-test\base.vhdx' -NewVHDSizeBytes 50GB

Things that are missing / unclear so far:

  • non-persistent HDD
  • How does it know what the NAT Interface is and how does it perform if you move from wired to a wireless connection?
  • don't know right now how to provide the ISO Image for the DVD via New-VM
  • quick tests using a Generation 2 VM didn't work out as the ISO didn't boot and the Hyper-V didn't like miniroot62.fs as an ISO…

--EOF