github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix bypass detection to correctly attribute encrypted DNS bypassing

Browse Source
This commit is contained in:
Daniel
2022-02-25 15:30:02 +01:00
parent c8e6703dac
commit 1346123d6f
2 changed files with 31 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
firewall/bypassing.go
View File

@@ -16,24 +16,44 @@ var resolverFilterLists = []string{"17-DNS"}
// PreventBypassing checks if the connection should be denied or permitted
// based on some bypass protection checks.
func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
// Exclude incoming connections.
if conn.Inbound {
return endpoints.NoMatch, "", nil
}
// Exclude ICMP.
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
case packet.ICMP, packet.ICMPv6:
return endpoints.NoMatch, "", nil
}
// Block firefox canary domain to disable DoH.
// This MUST also affect the System Resolver, because the return value must
// be correct for this to work.
if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
return endpoints.Denied,
"blocked canary domain to prevent enabling of DNS-over-HTTPs",
nsutil.NxDomain()
}
// Block direct connections to known DNS resolvers.
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
case packet.ICMP, packet.ICMPv6:
// Make an exception for ICMP, as these IPs are also often used for debugging.
default:
if conn.Entity.MatchLists(resolverFilterLists) {
compat.ReportSecureDNSBypassIssue(conn.Process())
return endpoints.Denied,
"blocked rogue connection to DNS resolver",
nsutil.BlockIP()
}
// Exclude DNS requests coming from the System Resolver.
// This MUST also affect entities in the secure dns filter list, else the
// System Resolver is wrongly accused of bypassing.
if conn.Type == network.DNSRequest && conn.Process().IsSystemResolver() {
return endpoints.NoMatch, "", nil
}
// Block bypass attempts using an encrypted DNS server.
switch {
case conn.Entity.Port == 853:
// Block connections to port 853 - DNS over TLS.
fallthrough
case conn.Entity.MatchLists(resolverFilterLists):
// Block connection entities in the secure dns filter list.
compat.ReportSecureDNSBypassIssue(conn.Process())
return endpoints.Denied,
"blocked rogue connection to DNS resolver",
nsutil.BlockIP()
}
return endpoints.NoMatch, "", nil