IP Vs DNS

IP Vs DNS

[Barry Fawthrop]

Greetings all

with an IPTABLES ruleset you can specify an IP address to be allowed/blocked
iptables INPUT -s 12.12.12.12 -j ALLOW

But can this be done with a DNS name
iptables INPUT -s www.name.com -j ALLOW

since 12.12.12.12 may be www.name.com but it can also be
12.12.15.12 or 12.15.12.19
eg www.nasa.gov this address does vary depending on location and 
sometimes time of day
from a single point I can ping www.nasa.gov and get different IP 
addresses for it.

Yet I would like to allow access but preferably not to a whole range.
Also by allowing a DNS name then if a single IP addresses hosts many 
sites, I can be specific about the site?


Thanks in advance
B


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005

Re: IP Vs DNS (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.10.11 17:04, Barry Fawthrop - barry@ttienterprises.org wrote:
> Greetings all
> 
> with an IPTABLES ruleset you can specify an IP address to be allowed/blocked
> iptables INPUT -s 12.12.12.12 -j ALLOW
> 
> But can this be done with a DNS name
> iptables INPUT -s www.name.com -j ALLOW

IPTABLES accepts DNS names, but the DNS lookup is performed
when the rule is placed in the kernel,
not when the rule is evaluated against a packet.
The kernel (netfilter) rules use ip address only.

To achieve what you want, I think you would have to
update the rule whenever the DNS mapping changed.

> 
> since 12.12.12.12 may be www.name.com but it can also be
> 12.12.15.12 or 12.15.12.19
> eg www.nasa.gov this address does vary depending on location and sometimes  
> time of day
> from a single point I can ping www.nasa.gov and get different IP addresses  
> for it.
> 
> Yet I would like to allow access but preferably not to a whole range.
> Also by allowing a DNS name then if a single IP addresses hosts many sites,  
> I can be specific about the site?
> 
> 
> Thanks in advance
> B
> 
> 
>-- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005
> 
> 
>
-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: IP Vs DNS

[Barry Fawthrop]

Jim Laurino wrote:

>> Greetings all
>>
>> with an IPTABLES ruleset you can specify an IP address to be 
>> allowed/blocked
>> iptables INPUT -s 12.12.12.12 -j ALLOW
>>
>> But can this be done with a DNS name
>> iptables INPUT -s www.name.com -j ALLOW
>
>
> IPTABLES accepts DNS names, but the DNS lookup is performed
> when the rule is placed in the kernel,
> not when the rule is evaluated against a packet.
> The kernel (netfilter) rules use ip address only.
>
> To achieve what you want, I think you would have to
> update the rule whenever the DNS mapping changed.
>
How can this be done on a per packet basis, where the IP is checked 
regularly
or can the table be flushed and reloaded every hour.
What would be the negative of doing a reload each hour??

Thanks in Advance


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/129 - Release Date: 10/11/2005

Re: IP Vs DNS

[/dev/rob0]

On Tuesday 2005-October-11 19:00, Barry Fawthrop wrote:
> Jim Laurino wrote:
> >> Greetings all
> >>
> >> with an IPTABLES ruleset you can specify an IP address to be
> >> allowed/blocked
> >> iptables INPUT -s 12.12.12.12 -j ALLOW
> >>
> >> But can this be done with a DNS name
> >> iptables INPUT -s www.name.com -j ALLOW
> >
> > IPTABLES accepts DNS names, but the DNS lookup is performed
> > when the rule is placed in the kernel,
> > not when the rule is evaluated against a packet.
> > The kernel (netfilter) rules use ip address only.

Yes, I had started a reply to demonstrate, but didn't finish it.

# iptables -vA INPUT -s net/24
  all opt -- in * out *  192.168.6.0/24  -> 0.0.0.0/0
# iptables -vA INPUT -s site # this name resolves to 2 IP's
  all opt -- in * out *  x.z.196.54  -> 0.0.0.0/0
  all opt -- in * out *  y.x.192.52  -> 0.0.0.0/0
# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 44M packets, 5956M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       192.168.8.0          0.0.0.0/0
    0     0            all  --  *      *       x.z.196.54           0.0.0.0/0
    0     0            all  --  *      *       y.x.192.52           0.0.0.0/0

A name that resolves to more than one IP gives you that many rules, one
rule for each IP.

> > To achieve what you want, I think you would have to
> > update the rule whenever the DNS mapping changed.
>
> How can this be done on a per packet basis, where the IP is checked
> regularly

Not at all. Think it through! What does netfilter see on an incoming
packet? Source IP, destination IP, protocol headers, and payload. You
want to look up reverse DNS names in real time, on live traffic? Not a
good plan. And there too, be aware that even if this was possible you
could only act on reverse DNS names. You mentioned www.nasa.gov :

$ dig www.nasa.gov

; <<>> DiG 9.3.1 <<>> www.nasa.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44724
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nasa.gov.                  IN      A

;; ANSWER SECTION:
www.nasa.gov.           600     IN      CNAME   www.nasa.gov.speedera.net.
www.nasa.gov.speedera.net. 120  IN      A       63.216.25.145
www.nasa.gov.speedera.net. 120  IN      A       216.200.68.6

And the reverse on those IP's:

$ host 63.216.25.145
145.25.216.63.in-addr.arpa domain name pointer 63-216-25-145.sdsl.cais.net.
$ host 216.200.68.6
Host 6.68.200.216.in-addr.arpa not found: 3(NXDOMAIN)

Wow, look at those TTL's, 600 on the CNAME and 120 on the A's! NASA DNS
records are short-lived, just like [snip crude joke] :)

> or can the table be flushed and reloaded every hour.

Only possible way to do it. I would put these dynamic rules into a user
chain, and only flush and reresolve the rules in that chain.

> What would be the negative of doing a reload each hour??

You MIGHT see momentary flickers in connectivity, but probably none. If
something like streaming video was affected, you might notice it, but
otherwise probably not.

I spent more than 10 minutes on this, start to now, so let's look at
those NASA records again.

;; ANSWER SECTION:
www.nasa.gov.           600     IN      CNAME   www.nasa.gov.speedera.net.
www.nasa.gov.speedera.net. 120  IN      A       208.254.75.142
www.nasa.gov.speedera.net. 120  IN      A       208.254.75.143

$ host 208.254.75.142
Host 142.75.254.208.in-addr.arpa not found: 3(NXDOMAIN)
$ host 208.254.75.143
Host 143.75.254.208.in-addr.arpa not found: 3(NXDOMAIN)

Two different hosts, neither with reverse DNS.

You have to consider how fast your target is moving as you take aim at
it. This particular one moves very fast. Resolving this once an hour
won't really do much for you. In general you've got the right idea,
though.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: IP Vs DNS

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 	[SNIP]

>
> I spent more than 10 minutes on this, start to now, so let's look at
> those NASA records again.
>
> ;; ANSWER SECTION:
> www.nasa.gov.           600     IN      CNAME   www.nasa.gov.speedera.net.
> www.nasa.gov.speedera.net. 120  IN      A       208.254.75.142
> www.nasa.gov.speedera.net. 120  IN      A       208.254.75.143
>
> $ host 208.254.75.142
> Host 142.75.254.208.in-addr.arpa not found: 3(NXDOMAIN)
> $ host 208.254.75.143
> Host 143.75.254.208.in-addr.arpa not found: 3(NXDOMAIN)
>
> Two different hosts, neither with reverse DNS.
>
> You have to consider how fast your target is moving as you take aim at
> it. This particular one moves very fast. Resolving this once an hour
> won't really do much for you. In general you've got the right idea,
> though.


Now, that's interesting, never nocited here myself that sites like this 
might change so drmatically over such a small space of time, but I guess 
the costs of avoinding repeated DDOS attacks has made such things a 
reality of net-life.

Thanks for the info and research sir.

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTFzest+vzJSwZikRAskoAJ4qkdVOrnqK5J8v+XHRsSLQYgeMoACdEZNx
97cmYj5cfauZ4WwNAPZzOyA=
=xs9p
-----END PGP SIGNATURE-----

Re: IP Vs DNS

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 11 Oct 2005, Barry Fawthrop wrote:

>
> Jim Laurino wrote:
>
>>> Greetings all
>>> 
>>> with an IPTABLES ruleset you can specify an IP address to be 
>>> allowed/blocked
>>> iptables INPUT -s 12.12.12.12 -j ALLOW
>>> 
>>> But can this be done with a DNS name
>>> iptables INPUT -s www.name.com -j ALLOW
>> 
>> 
>> IPTABLES accepts DNS names, but the DNS lookup is performed
>> when the rule is placed in the kernel,
>> not when the rule is evaluated against a packet.
>> The kernel (netfilter) rules use ip address only.
>> 
>> To achieve what you want, I think you would have to
>> update the rule whenever the DNS mapping changed.
>> 
> How can this be done on a per packet basis, where the IP is checked regularly
> or can the table be flushed and reloaded every hour.
> What would be the negative of doing a reload each hour??


During the reload, depending upon how long the rules take to be 
implimented, unless one is careful about things like turning off 
forwarding and such, there is the exposure window of the network behind 
the firewall.  Now if one has a nice, tight and short ruleset, the 
exposure window might be all iof two seconds or so, but if one has one of 
them fancy 20,000 rulsets, this exposure window might be a bit broader.

Proper placement of the 'echo "0" > /proc/sys/net/ipv4/ip_forward' and 
'echo "1" > /proc/sys/net/ipv4/ip_forward' commands within the rulesets is 
then all important when recycling the FW.  Another way around this 
might be to down all interfaces during the FW recycle, bringing them up 
after it;s complete.  Yet the thing is that DNS changes to sites like 
those mentioned above rarely takes place in any hourly let alone daily or 
weekly windows.  Now the real question is, can one control another sites 
load balancing and DNS features with funky crafting of iptables rules? 
I'm guessing in some cases it works, and in other cases yer hosing lots 
of attempts to reach a site that is not single hosted, depending upon the 
load balancing scheme<s> in place by the site owners.


Then again, what is the real goal of considering limiting to a particular 
machine for a multi-hosted site?  Is one more trustworthy then another?

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTFsNst+vzJSwZikRAoh2AJ9zSnReJPnHL/EUEflacEeeQbRJ0gCeOD7+
wTlVaDm81UWVE+j1J/Iqm4w=
=dBeq
-----END PGP SIGNATURE-----

RE: IP Vs DNS

[Anthony Sadler]

Prehaps instead of reload the whole table, why not just reload the particular rule? 
Eg:

1. Ping www.name.com, dump IP into 1st file. Grep should help you here. 
2. Pick up IP from 1st file and use it to write rule. 

3. Ping www.name.com, dump IP into 2nd file.
4. Pick up IP from 2nd file and insert new rules.
5. Using 1st file, delete rules that correspond to 2nd IP.

6. Ping www.name.com, dump IP into 1st file.  
7. Pick up IP from 1st file and use it to write rule. 
8. Using 2nd file, delete rules that correspond to 2nd IP.

You should be able to kick off steps 1,2 yourself, then have scripts do steps 3-5 and 6-8. That way you should limit your downtime and processer usage.

Anthony Sadler
Far Edge Technology
w: (02) 8425 1400
 
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of R. DuFresne
Sent: Wednesday, 12 October 2005 10:39 
To: Barry Fawthrop
Cc: netfilter@lists.netfilter.org
Subject: Re: IP Vs DNS 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 11 Oct 2005, Barry Fawthrop wrote:

>
> Jim Laurino wrote:
>
>>> Greetings all
>>> 
>>> with an IPTABLES ruleset you can specify an IP address to be 
>>> allowed/blocked
>>> iptables INPUT -s 12.12.12.12 -j ALLOW
>>> 
>>> But can this be done with a DNS name
>>> iptables INPUT -s www.name.com -j ALLOW
>> 
>> 
>> IPTABLES accepts DNS names, but the DNS lookup is performed
>> when the rule is placed in the kernel,
>> not when the rule is evaluated against a packet.
>> The kernel (netfilter) rules use ip address only.
>> 
>> To achieve what you want, I think you would have to
>> update the rule whenever the DNS mapping changed.
>> 
> How can this be done on a per packet basis, where the IP is checked regularly
> or can the table be flushed and reloaded every hour.
> What would be the negative of doing a reload each hour??


During the reload, depending upon how long the rules take to be 
implimented, unless one is careful about things like turning off 
forwarding and such, there is the exposure window of the network behind 
the firewall.  Now if one has a nice, tight and short ruleset, the 
exposure window might be all iof two seconds or so, but if one has one of 
them fancy 20,000 rulsets, this exposure window might be a bit broader.

Proper placement of the 'echo "0" > /proc/sys/net/ipv4/ip_forward' and 
'echo "1" > /proc/sys/net/ipv4/ip_forward' commands within the rulesets is 
then all important when recycling the FW.  Another way around this 
might be to down all interfaces during the FW recycle, bringing them up 
after it;s complete.  Yet the thing is that DNS changes to sites like 
those mentioned above rarely takes place in any hourly let alone daily or 
weekly windows.  Now the real question is, can one control another sites 
load balancing and DNS features with funky crafting of iptables rules? 
I'm guessing in some cases it works, and in other cases yer hosing lots 
of attempts to reach a site that is not single hosted, depending upon the 
load balancing scheme<s> in place by the site owners.


Then again, what is the real goal of considering limiting to a particular 
machine for a multi-hosted site?  Is one more trustworthy then another?

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTFsNst+vzJSwZikRAoh2AJ9zSnReJPnHL/EUEflacEeeQbRJ0gCeOD7+
wTlVaDm81UWVE+j1J/Iqm4w=
=dBeq
-----END PGP SIGNATURE-----

RE: IP Vs DNS

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Oct 2005, Anthony Sadler wrote:

> Prehaps instead of reload the whole table, why not just reload the particular rule?
> Eg:
>
> 1. Ping www.name.com, dump IP into 1st file. Grep should help you here.
> 2. Pick up IP from 1st file and use it to write rule.
>
> 3. Ping www.name.com, dump IP into 2nd file.
> 4. Pick up IP from 2nd file and insert new rules.
> 5. Using 1st file, delete rules that correspond to 2nd IP.
>
> 6. Ping www.name.com, dump IP into 1st file.
> 7. Pick up IP from 1st file and use it to write rule.
> 8. Using 2nd file, delete rules that correspond to 2nd IP.
>
> You should be able to kick off steps 1,2 yourself, then have scripts do steps 3-5 and 6-8. That way you should limit your downtime and processer usage.


As /dev/rob pointed out for those sites that do change on a regular basis, 
it might well work to script up and cron the first few steps with a tap 
fired off to the admin that a change has bee noted and to fire off the 
second round that affects the FW rule sets in question.  Of course the 
question then is, does that mean that in even scripting through htese 
steps might they miss the next change of IP's entirely...


I think this is a good alternative, and if scripted correctly might save 
time and cpu cycles, but if done by hand certainly might work for the 
opposit.  Still and I'm perhaps missing something, I'm trying to 
understand why, with a multi-hosted site, someone might want to push all 
their packets at a particular system and undo the load balancing and such 
that the site operator<s> put in place to ease congestion on their 
systems?

Thanks,


Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTZfHst+vzJSwZikRAjivAKDZviVwlaGkChKAgOoApo+eCWXVrQCgnEUI
zDFr6wuqes56XhzRRk6KvIQ=
=Rp3H
-----END PGP SIGNATURE-----