Using DNS names when making iptables rules

Vik Heyndrickx vik.heyndrickx@pandora.be
Tue, 8 Jan 2002 22:51:53 +0100


> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Patrick Schaaf
> Sent: Tuesday, January 08, 2002 10:03 PM
> To: Bryan Hundven
> Cc: Damien Dye; netfilter@lists.samba.org
> Subject: Re: Using DNS names when making iptables rules
>
>
> > From: "Damien Dye" <damien@madwire.co.uk>
> > > is it possible to write rules useing the dns names of the
> hosts instead of
> > > the IP address
>
> On Tue, Jan 08, 2002 at 12:38:18PM -0800, Bryan Hundven wrote:
> > Of course, You just have to remember that each time a
> connection comes in,
> > to match it must do a dns lookup to verify (which takes some time).
> > It is recommended to use ip's.
>
> I am 100% sure that iptables does NOT do on-the-fly DNS lookups.
> The names are looked up when the rule is loaded into the kernel
> (i.e. the relevant iptables command is executed). In the kernel,
> there are only IP addresses.
>
> I have a cunning plan how to improve the situation, but I don't
> know if it's really a good idea...

Ofcourse I don't know what that cunning plan is all about, but it IS a bad
idea to involve DNS names for two main reasons:
- You can control access through the firewall by attacking the DNS system it
is using (and that could be the entire Internet DNS system). IMHO an
IP-filtering firewall should provide security on its own, not relying on
other servers.
- somehost.foo.com can resolve to many IP adresses. Considering that, what
are you going to do with:
    iptables -A INPUT -s somehost.foo.com -j ACCEPT
and with
    iptables -A INPUT -s somehost.foo.com -j REJECT
(try to expand both using the currently defined implementation, and what
that yields for some multi-ip match implementation)

Another problem that can be solved (but with a cost), is when are you going
to resolve the DNS names to IP addresses? At rule load time of on-the-fly as
each packet traverses the firewall? This is going to put an extraordinary
load on the host.
Finally, a chicken and egg problem. Netfilter is started way before the
"named" process is loaded. In a decent secure setup the firewall rules are
brought up before the network interfaces are effectively brought up. These
rules would try to do name lookups using a name server which is unreachable.

Hence it's impossible to create a well engineered solution. And that makes
that solution-to-be cunning (you made me curious) ;-)

--
Vik