DNS rules treat "To this host/IP/Net" differently than other rules

[meeas]

Why do OpenSnitch DNS rules use the queried DNS hostname instead of the actual destination Host/IP address of the DNS server being queried. This seems to break the standard OpenSnitch rule since all other protocol rules use "To this host/IP/NET" to refer to the actual destination IP in the packet.

I can see the benefit of being able to filter which DNS queries are made to a DNS server, however I don't see a way to set a rule to limit which DNS servers are queried. Is there functionality I'm missing do to this?

BTW, I'm AMAZED at the progress you've made with this tool from its early releases. I tried out one of first versions you released before you added the eBPF source which was a path I was trying to pursue for one of my own tools, and was ecstatic to revisit your project again a few weeks ago to found you had fully adopted eBPF and had a fully functioning tool that met me needs. THANK YOU for all your work on this project. It is VERY appreciated and needed in the Linux circles.

[gustavo-iniguez-goya]

Hey @meeas , thank you! ❤️ 😊

Why do OpenSnitch DNS rules use the queried DNS hostname instead of the actual destination Host/IP address of the DNS server being queried

If you mean why is displayed the queried DNS hostname in the list of connections, instead of the DNS server being queried, if I remember correctly is because some users found it confusing.

On versions 1.0.0-rcX I used to display: xx is connecting to 1.1.1.1 (www.domain.com) This is one of the discussions I think: gustavo-iniguez-goya#6

Now we display only the domain.

I don't see a way to set a rule to limit which DNS servers are queried. Is there functionality I'm missing do to this?

I just tested it, if you create a rule to deny/allow a rule [x] To this IP specifying the DNS server it'll be denied/allowed.

So if you deny everything by default and create a rule to allow traffic to port 53 (and maybe 443, etc) and to DNS servers IPs it should work ([x] To this port: 53 , [x] To this IP: ^(127\.0\.0\.1|9\.9\.9\.9)$, or also by using a list of IPs: [x] To this port: 53, [x] To this list of IPs: /path/to/files/with/ips.txt)

[meeas]

Interesting. Ok, so yes, that works. THANK YOU!!! I should have thought to try that.

So this makes me wonder in how the To this host works when the protocol is not DNS. If it is used on say HTTPS and the To this host field is set to google.com, is OpenSnitch:

• doing a DNS lookup of the "To this host" at the time the rule is written, then storing an IP address for packet matching, possibly with a periodic DNS lookup refresh?
• or is it doing a reverse DNS lookup for each IP destination in each connection request and using that reverse lookup for pattern matching of the To this host field?
• or is it looking for a previous DNS request from the same executable within the last few seconds whose response matches the same destination IP address for the HTTPS connection?
• or does eBPF perform some DNS hostname magic for you so you can see HTTPS connections by hostname instead of IP address?

[gustavo-iniguez-goya]

how the To this host works when the protocol is not DNS

We intercept DNS resolve responses and we cache the domain and all the IPs that it resolves to, using a iptables/nftables rule. Then when a new outbound connection is about to be established, we lookup the IP in the cache, and we display the domain to the user if the connection doesn't match against any rule.

If the domain matches with a rule, then the rule is applied on that connection.

Recently we have added eBPF code to intercept getaddrinfo and gethostname libc functions, because in some scenarios we were unable to get the domain, like when systemd-resolved is configured with DoT or when some software inserts firewall rules that bypass ours (like libvirtd).