limit dns request to specific resource record

Started by superfox, August 31, 2022, 03:06:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 31, 2022, 03:06:38 PM
Hi there

using the on-board tools of opnsense - is it possible to limit a hosts dns request to one specific resource record?

For a network(interface), i can limit the access to unbound to one host, using a firewall rule. Now i want to limit the dns request of this host to one specific resource record,
so that this host is only able to resolve, for example "server.domain.test" to "172.17.17.1", and not anything else.

I think i have to use advanced plugins for this task, but i wanted to ask you guys first :-)
August 31, 2022, 10:43:43 PM #1
Quote from: superfox on August 31, 2022, 03:06:38 PM
for example "server.domain.test" to "172.17.17.1", and not anything else.

Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.

If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.

But if you want to change the answer by, e.g., removing additional A RRs or removing all AAAA RRs, then that's not possible with firewall rules as you need to modify the DNS packet by, amongst other things, changing the "answer count" and shuffling up any OPT RRs that may be at the end of the response.

In short, you'll probably have to create/find a plugin which re-writes the DNS answer to satisfy this requirement.
November 18, 2022, 01:10:40 PM #2
Quote from: PacketChomper on August 31, 2022, 10:43:43 PM
If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.
I already did this and added two override entries. Thanks!

Quote from: PacketChomper on August 31, 2022, 10:43:43 PM
Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.

I want to restrict the clients request, so that the client can not request any hostnames (e.g. from the internet) but _only_ the overrides.
November 19, 2022, 08:27:22 AM #3
If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?

February 14, 2023, 02:27:10 PM #4
Quote from: zyos on November 19, 2022, 08:27:22 AM
If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?



Good point! I have to think about this and speak to communication partner. Thanks!

I guess there is no other way without actively "filtering" dns request traffic. Then your idea is the easier way.
Print
Go Up Pages1
User actions