unbound DNS rebind protection

📆
🏷
, ,

While working on my DNS firewalling @home I was studying unbound.conf and found what I already had forgotten, unbound’s DNS rebinding protection.

DNS rebinding is a an attack where a malicious website is using your browser to resolve internal addresses (e.g. RFC1918) in order to get their hands on internal ressources like e.g. your routers admin interface. There have been attacks in the wild using that technique and I bet there still are. rebind.network is a site that actually tries to find some internal ressources on your network; the site needs javascript. Anywho and without further ado, here’s the setting that I am running on my unbound – courtesy of unbound.conf(5):

private-address: 10.0.0.0/8 
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-domain: my.lan.domain

Open Source Threat Intelligence And Makeshift RPZ with Unbound

📆
🏷
, , , , ,

Update: Added some remarks about what DNS RPZ actually is, what my objective is and what the outcome will be.

A friend of mine and I tried to play w/ RPZ and knot yesterday and gravely failed. The fact that knot as well as RPZ had been new to us didn’t help. Discussing the failure later that night I remembered that I was already doing something similar at home for adblocking at the DNS level instead of every application on every client. In some way this is also DNS RPZ.

DNS RPZ is something that could be described as DNS firewalling and is described by wikipedia as follows:

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is “DNS firewall”.

My main objective is to block ad networks and malware sites (e.g. command and control) on the DNS level for all devices without them having to install adblockers or stuff. So if someone tries to access a blacklisted site, say domain.tld the client will get a NXDOMAIN as an answer instead of the real IP address. As I can’t keep up with the domains I also want to leverage some of the OSINT feeds available. Currently I have roughly 16k domains blacklisted.

So today I was incorporating some of my OSINT and PF work into my DNS setup at home. Just as a quick primer: I am using OpenBSD as the OS, unbound(8) as recursor and rcs(1) for local and simple version control. Nothing mentioned here is specific to OpenBSD besides the ftp(1) command that I use to fetch the feeds and the location of the files.

Setting up unbound

Setup is pretty simple, just add the following line to /var/unbound/etc/unbound.conf within the server: section of the file:

include: /var/unbound/zones/rpz

Then setup /var/unbound/zones/rpz w/ additional includes, e.g.

include: …

My take on a network manager

📆
🏷
,

There’s one thing that I am really missing under OpenBSD, a network manager which seemlessly handles running around with my laptop. So my main itches to scratch are doing magic things at boot and resume so I don’t have to bother with fiddling with hostname.if(5) ever.

My first take on tackling that problem actually was working ok’ish but depended on sqlite3 and after sqlite3 left base the solution started to annoy me everytime I moved to a current snapshot and sqlite3 stoppped working or was unavailable from within bsd.rd.

So I started to look around what other people did to get rid of those problems which led me to netctl. I like that netctl is nothing but a shell script. I dislike that it didn’t work at boot time.

As my first take already worked at boot time, reducing my hostname.if(5) to being only 2 lines:

up
!/etc/netmanager \$if

I decided to rewrite the script, reusing chunks of netstart(8) in order to keep the fileformat in a well-known format. /etc/netmanager basically searches below /etc/hostname.d for a file matching the given – or autodetected – network ID to connect to. So without further ado here it is:

#!/bin/sh -

# parse_hn_line() and ifstart() are taken from /etc/netstart revision 1.195 with
# some small additions (basically addition of $_nwid and the removal of unneeded routines)

set +o sh

usage() {
	cat <<EOF >&2
usage: /etc/netmanager [<nwid>] <if>
	<nwid>	network to connect to
	<if>	interface to connect

netmanager searches for <nwid>.nwid in /etc/hostname.d, parses the file and
feeds ifconfig(8) accordingly. <nwid>.nwid has the same format as hostname.if(5).

If no <nwid> has been given netmanager issues a scan for access points and
searches for a matching <nwid>.nwid file.
EOF
	exit 2
}

# Parse and "unpack" a hostname.if(5) line given as positional parameters.
# Fill the _cmds array with the resulting interface configuration commands. …

Open Source Threat Intelligence and pf(4)

📆
🏷
, , ,

I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:

@0 block drop log quick from <pf_osint:5346> to any
  [ Evaluations: 502       Packets: 20        Bytes: 800         States: 0     ]
  [ Inserted: uid 0 pid 68515 State Creations: 0     ]

🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I’d like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).

This will give me the flexibility to replace the table with the new values so I can act fast not only on additions but also on deletions from the list. No need to keep out somebody longer than neccessary.

Not sure on how to attack the first part. A shell script would be easier and faster to create. Privsep could be handled by doas for the part needing higher privileges and allow me to handle everything in a single script.

But as a start I am going to keep the script as is and see how it’s going to work out for me. So without further ado, here’s the script:

printf "zeustracker.abuse.ch badips "
ftp  -VMo- https://zeustracker.abuse.ch/blocklist.php?download=badips | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "feodotracker.abuse.ch ipblocklist "
ftp  -VMo- https://feodotracker.abuse.ch/blocklist/?download=ipblocklist | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "ransomwaretracker.abuse.ch "
ftp -VMo- https://ransomwaretracker.abuse.ch/feeds/csv/ | \
        egrep -o '([1-9]{1,3}\.){3}[1-9]{1,3}[^/"]*' | \
        tr '|' …

OpenBSD on Hyper-V Primer

📆
🏷
,

I am fed up with VMWAre Workstation and I’d like to check if Hyper-V is a better alternative for me. This is not a tutorial but just a primer and scratchpad note mainly for me, thus those very brief notes.

  • Enable Hyper-V
  • Add User to Group “Hyper-V Administrators”
  • Create NAT Switch (Run as Hyper-V Administrator)
New-VMSwitch -Name NATSwitch -SwitchType Internal
Get-NetAdapter -Name *NATSwitch*
  • Setup Network for VMs. Hypter-V does not do DHCP, it just provides a switch, which I dig. (Run as Administrator)
    • Setup IP Gateway IP Address for VMs. You need the IfIndex from the Get-NetAdapter command from above
New-NetIPAddress -IPAddress 198.18.0.1 -PrefixLength 24 -InterfaceIndex 42
  • Now setup NAT
New-NetNat -Name HyperVNAT -InternalIPInterfaceAddressPrefix 198.18.0.0/24

We can setup our VM now:

New-VM -Name "obsd test" -MemoryStartupBytes 1GB -Generation 1 -BootDevice CD -SwitchName NATSwitch -NewVHDPath 'C:\path\to\vmstorage\obsd-test\base.vhdx' -NewVHDSizeBytes 50GB

Things that are missing / unclear so far:

  • non-persistent HDD
  • How does it know what the NAT Interface is and how does it perform if you move from wired to a wireless connection?
  • don’t know right now how to provide the ISO Image for the DVD via New-VM
  • quick tests using a Generation 2 VM didn’t work out as the ISO didn’t boot and the Hyper-V didn’t like miniroot62.fs as an ISO…