[ipset] adding a fqdn and get all A or AAAA registers in the set

[ipset] adding a fqdn and get all A or AAAA registers in the set

[Arturo Borrero]

Hi there!

I've been doing some test, and I'm unable to get all A or AAAA registers of
a FQDN inside a set (i.e. hash:ip).

Try it yourself:

$ host dl.dropbox.com
[6 ips]
# ipset create hash:ip test
# ipset add test dl.dropbox.com
# ipset list test
[just 1 ip]

I took a look at the source of ipset (on git repo), but I was unable to
determine where in the code the desition of drop (or ignore) additional DNS
resolutions is being taken. (Yes, i'm a noob programmer)

Any idea?

Best regards.


--
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Jozsef Kadlecsik]

On Wed, 10 Oct 2012, Arturo Borrero wrote:

> I've been doing some test, and I'm unable to get all A or AAAA registers 
> of a FQDN inside a set (i.e. hash:ip).
> 
> Try it yourself:
> 
> $ host dl.dropbox.com
> [6 ips]
> # ipset create hash:ip test
> # ipset add test dl.dropbox.com
> # ipset list test
> [just 1 ip]
> 
> I took a look at the source of ipset (on git repo), but I was unable to
> determine where in the code the desition of drop (or ignore) additional DNS
> resolutions is being taken. (Yes, i'm a noob programmer)

Yes, that's right. If hostname is supplied as input, just the first 
resolved IP address is used. Look at into lib/parse.c:

/*
 * Parse IPv4/IPv6 addresses, networks and ranges.
 * We resolve hostnames but just the first IP address is used.
 */

static struct addrinfo *
call_getaddrinfo(struct ipset_session *session, const char *str,
                 uint8_t family)
{
...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Eliezer Croitoru]

On 10/10/2012 3:13 PM, Arturo Borrero wrote:
> Hi there!
>
> I've been doing some test, and I'm unable to get all A or AAAA registers of
> a FQDN inside a set (i.e. hash:ip).
>
> Try it yourself:
>
> $ host dl.dropbox.com
> [6 ips]
> # ipset create hash:ip test
> # ipset add test dl.dropbox.com
> # ipset list test
> [just 1 ip]
>
> I took a look at the source of ipset (on git repo), but I was unable to
> determine where in the code the desition of drop (or ignore) additional DNS
> resolutions is being taken. (Yes, i'm a noob programmer)
>
> Any idea?
>
> Best regards.
you can use some script to do the resolving and then add the results to 
the set one by one.

how ipset behave is the same as iptables.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Arturo Borrero]

> you can use some script to do the resolving and then add the results to the
> set one by one.
>
> how ipset behave is the same as iptables.

It seems that iptables is able to handle multiple resolutions:

root@xwing:~# iptables-save
root@xwing:~# host dl.dropbox.com
dl.dropbox.com is an alias for
dl-balancer3-985632286.us-east-1.elb.amazonaws.com.
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.22.210.127
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.22.253.68
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 184.73.159.129
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 23.21.123.227
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 23.23.132.187
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 50.17.253.115
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.20.159.63
dl-balancer3-985632286.us-east-1.elb.amazonaws.com has address 107.20.162.145
root@xwing:~# iptables -A INPUT -s dl.dropbox.com -j ACCEPT
root@xwing:~# iptables-save
# Generated by iptables-save v1.4.14 on Wed Oct 10 19:47:19 2012
*filter
:INPUT ACCEPT [2:1201]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:274]
-A INPUT -s 184.73.159.129/32 -j ACCEPT
-A INPUT -s 23.21.123.227/32 -j ACCEPT
-A INPUT -s 23.23.132.187/32 -j ACCEPT
-A INPUT -s 50.17.253.115/32 -j ACCEPT
-A INPUT -s 107.20.159.63/32 -j ACCEPT
-A INPUT -s 107.20.162.145/32 -j ACCEPT
-A INPUT -s 107.22.210.127/32 -j ACCEPT
-A INPUT -s 107.22.253.68/32 -j ACCEPT
COMMIT
# Completed on Wed Oct 10 19:47:19 2012


> Yes, that's right. If hostname is supplied as input, just the first
> resolved IP address is used. Look at into lib/parse.c

I see it now. Reading man page getaddrinfo(3), it is implemented as
some kind of linked list, specially for cases where there are multiple
resolutions.

So, the function get_addrinfo in lib/parse.c needs to do something
more inside that for loop. (By now, I don't know what means the code
inside the loop if found==0, so I can't write a patch)

Regards

-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Jozsef Kadlecsik]

On Wed, 10 Oct 2012, Arturo Borrero wrote:

> > you can use some script to do the resolving and then add the results to the
> > set one by one.
> >
> > how ipset behave is the same as iptables.
> 
> It seems that iptables is able to handle multiple resolutions:

Yes, but ipset != iptables.
 
> > Yes, that's right. If hostname is supplied as input, just the first
> > resolved IP address is used. Look at into lib/parse.c
> 
> I see it now. Reading man page getaddrinfo(3), it is implemented as
> some kind of linked list, specially for cases where there are multiple
> resolutions.
> 
> So, the function get_addrinfo in lib/parse.c needs to do something
> more inside that for loop. (By now, I don't know what means the code
> inside the loop if found==0, so I can't write a patch)

That's not possible: you can't call a session loop over the IP addresses 
from lib/parse.c in the current framework. (That's why it's not already 
done.)

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Arturo Borrero]

> That's not possible: you can't call a session loop over the IP addresses
> from lib/parse.c in the current framework. (That's why it's not already
> done.)

Ok, thanks.

Regards.

-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Eliezer Croitoru]

On 10/10/2012 8:27 PM, Arturo Borrero wrote:
> Ok, thanks.
>
> Regards.
It's quite simple task for perl\python\ruby script to the what you need.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Arturo Borrero]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

On 11/10/12 12:09, Eliezer Croitoru wrote:
> It's quite simple task for perl\python\ruby script to the what you need.

Yes, I know it.

But having a layer over ipset was not what I was looking for.

Also, I considered this a nice/basic/standar/awsome feature that I 
didn't know why ipset doesn't implement it.

-- 
Arturo Borrero González
Departamento de Seguridad Informática, @NIS_CICA (twitter)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3072 bytes --]

Re: [ipset] adding a fqdn and get all A or AAAA registers in the set

[Eliezer Croitoru]

On 10/11/2012 12:15 PM, Arturo Borrero wrote:
> Yes, I know it.
>
> But having a layer over ipset was not what I was looking for.
>
> Also, I considered this a nice/basic/standar/awsome feature that I 
> didn't know why ipset doesn't implement it. 
it's not really a layer over ipset since it's not constant usage.
it will be only used on adding and others.
In any case something will do the dns naming resolution and will make 
the ipset rules only per resolution so for a more dynamic resolution you 
will need a helper.

Regards,
Eliezer