From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] firewall: always allow outgoing DNS traffic to root servers Date: Tue, 01 Oct 2019 18:24:01 +0100 Message-ID: In-Reply-To: <6972e22e-fb8f-772d-42f0-a7fb0e5cbe3f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9035632839328311542==" List-Id: --===============9035632839328311542== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Acked-by: Michael Tremer > On 1 Oct 2019, at 16:22, peter.mueller(a)ipfire.org wrote: >=20 > Allowing outgoing DNS traffic (destination port 53, both TCP > and UDP) to the root servers is BCP for some reasons. First, > RFC 5011 assumes resolvers are able to fetch new trust ancors > from the root servers for a certain time period in order to > do key rollovers. >=20 > Second, Unbound shows some side effects if it cannot do trust > anchor signaling (see RFC 8145) or fetch the current trust anchor, > resulting in SERVFAILs for arbitrary requests a few minutes. >=20 > There is little security implication of allowing DNS traffic > to the root servers: An attacker might abuse this for exfiltrating > data via DNS queries, but is unable to infiltrate data unless > he gains control over at least one root server instance. If > there is no firewall ruleset in place which prohibits any other > DNS traffic than to chosen DNS servers, this patch will not > have security implications at all. >=20 > The second version of this patch does not use unnecessary xargs- > call nor changes anything else not related to this issue. >=20 > Fixes #12183 >=20 > Cc: Michael Tremer > Suggested-by: Horace Michael > Signed-off-by: Peter M=C3=BCller > --- > config/rootfiles/core/137/filelists/files | 1 + > src/initscripts/system/firewall | 12 ++++++++++++ > 2 files changed, 13 insertions(+) >=20 > diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/c= ore/137/filelists/files > index ce4e51768..a02840d12 100644 > --- a/config/rootfiles/core/137/filelists/files > +++ b/config/rootfiles/core/137/filelists/files > @@ -1,4 +1,5 @@ > etc/system-release > etc/issue > +etc/rc.d/init.d/firewall > srv/web/ipfire/cgi-bin/credits.cgi > var/ipfire/langs > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index ec396c708..602bd6c5b 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -6,6 +6,7 @@ > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > +ROOTHINTS=3D"/etc/unbound/root.hints" > IFACE=3D`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012= '` >=20 > if [ -f /var/ipfire/red/device ]; then > @@ -307,6 +308,17 @@ iptables_init() { > iptables -A INPUT -j TOR_INPUT > iptables -N TOR_OUTPUT > iptables -A OUTPUT -j TOR_OUTPUT > + > + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers > + local rootserverips=3D"$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" > + ipset -N root-servers iphash > + > + for ip in "${rootserverips[@]}"; do > + ipset add root-servers $ip > + done > + > + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 = -j ACCEPT > + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 = -j ACCEPT > =09 > # Jump into the actual firewall ruleset. > iptables -N INPUTFW > --=20 > 2.16.4 --===============9035632839328311542==--