Fix bypass detection to correctly attribute encrypted DNS bypassing
This commit is contained in:
Daniel
@@ -16,24 +16,44 @@ var resolverFilterLists = []string{"17-DNS"}
|
||||
// PreventBypassing checks if the connection should be denied or permitted
|
||||
// based on some bypass protection checks.
|
||||
func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
|
||||
// Exclude incoming connections.
|
||||
if conn.Inbound {
|
||||
return endpoints.NoMatch, "", nil
|
||||
}
|
||||
|
||||
// Exclude ICMP.
|
||||
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
|
||||
case packet.ICMP, packet.ICMPv6:
|
||||
return endpoints.NoMatch, "", nil
|
||||
}
|
||||
|
||||
// Block firefox canary domain to disable DoH.
|
||||
// This MUST also affect the System Resolver, because the return value must
|
||||
// be correct for this to work.
|
||||
if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
|
||||
return endpoints.Denied,
|
||||
"blocked canary domain to prevent enabling of DNS-over-HTTPs",
|
||||
nsutil.NxDomain()
|
||||
}
|
||||
|
||||
// Block direct connections to known DNS resolvers.
|
||||
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
|
||||
case packet.ICMP, packet.ICMPv6:
|
||||
// Make an exception for ICMP, as these IPs are also often used for debugging.
|
||||
default:
|
||||
if conn.Entity.MatchLists(resolverFilterLists) {
|
||||
compat.ReportSecureDNSBypassIssue(conn.Process())
|
||||
return endpoints.Denied,
|
||||
"blocked rogue connection to DNS resolver",
|
||||
nsutil.BlockIP()
|
||||
}
|
||||
// Exclude DNS requests coming from the System Resolver.
|
||||
// This MUST also affect entities in the secure dns filter list, else the
|
||||
// System Resolver is wrongly accused of bypassing.
|
||||
if conn.Type == network.DNSRequest && conn.Process().IsSystemResolver() {
|
||||
return endpoints.NoMatch, "", nil
|
||||
}
|
||||
|
||||
// Block bypass attempts using an encrypted DNS server.
|
||||
switch {
|
||||
case conn.Entity.Port == 853:
|
||||
// Block connections to port 853 - DNS over TLS.
|
||||
fallthrough
|
||||
case conn.Entity.MatchLists(resolverFilterLists):
|
||||
// Block connection entities in the secure dns filter list.
|
||||
compat.ReportSecureDNSBypassIssue(conn.Process())
|
||||
return endpoints.Denied,
|
||||
"blocked rogue connection to DNS resolver",
|
||||
nsutil.BlockIP()
|
||||
}
|
||||
|
||||
return endpoints.NoMatch, "", nil
|
||||
|
||||
@@ -34,7 +34,6 @@ Seeing a lot of incoming connections here is normal, as this resembles the netwo
|
||||
In order to respect the app settings of the actual application, DNS requests from the System DNS Client are only subject to the following settings:
|
||||
|
||||
- Outgoing Rules (without global rules)
|
||||
- Block Bypassing
|
||||
- Filter Lists
|
||||
|
||||
If you think you might have messed up the settings of the System DNS Client, just delete the profile below to reset it to the defaults.
|
||||
|
||||
Reference in New Issue
Block a user