Future enhancement: Add DNS proxy

Question

Future enhancement: Add DNS proxy

davidhadas opened this issue a year ago · comments

David Hadas commented a year ago

Analyze the List of Names resolved - behavior change, tunneling
Analyze data transferred on Req and Resp (tunneling attacks)

David Hadas · Answer 1 · Tue Jan 17 2023 02:10:03 GMT+0800 (China Standard Time)

POC for adding dns proxy shows:

Serving changes are needed to allow queue-proxy to open port 53 - there seem to be 2 options to do that:
- Run setcap cap_net_bind_service+ep - can only be done with Dockerfile - not with ko
- Use pod level sysctl net.ipv4.ip_unprivileged_port_start=53
Serving changes are needed to ensure podSpec include:
- dnsPolicy: None
- dnsConfig: nameservers: - 127.0.0.1
Serving need to set env variable to provide queue-proxy with the cluster nameserver ip address(es)

Potential Value:

Identify unexpected DNS query to names not in criteria
Ignore alerts to IPs received from DNS to approved names
Identify dns protocol anomalies (attempts at DNS tunneling from an already approved DNS server)
The basis for future control over egress

github-actions · Answer 2 · Mon May 29 2023 09:27:59 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

David Hadas · Answer 3 · Tue May 30 2023 13:18:49 GMT+0800 (China Standard Time)

/remove-lifecycle stale

github-actions · Answer 4 · Wed Aug 30 2023 09:20:51 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

David Hadas · Answer 5 · Mon Sep 11 2023 23:51:19 GMT+0800 (China Standard Time)

It is left for future to extend Guard for DNS support.
A POC was created but has not reached maturity and therefore not merged.

David Hadas · Answer 6 · Mon Sep 11 2023 23:51:28 GMT+0800 (China Standard Time)

/remove-lifecycle stale

github-actions · Answer 7 · Mon Dec 11 2023 09:24:58 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

David Hadas · Answer 8 · Mon Dec 11 2023 20:00:44 GMT+0800 (China Standard Time)

/remove-lifecycle stale

github-actions · Answer 9 · Tue Mar 12 2024 09:20:19 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.