Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Possible error in DNS canonical name handling

Sun Mar 28, 2021 2:48 pm

I'm using the DNS in my router (hAP ac^2 with RouterOS 7.1beta3).
I'm by default blocking all outgoing (as well incoming) traffic, I do allow it only by explicitly adding the address to an "allow" list.
This works fine, but today I experienced this funny problem: the address www.edn.com gets not blocked eventhough it's not explicitly allowed to pass out or in.
A little research and testing shows that this address has a canonical name www.edn.com.edgekey.net in the DNS:
$ nslookup www.edn.com
Server: 192.168.x.x
Address: 192.168.x.x#53

Non-authoritative answer:
www.edn.com canonical name = www.edn.com.edgekey.net.
www.edn.com.edgekey.net canonical name = e1899.a.akamaiedge.net.
Name: e1899.a.akamaiedge.net
Address: 104.81.79.46
So, does this indicate an error in RouterOS DNS ?

Thx
Last edited by mutluit on Sun Mar 28, 2021 5:04 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 3:34 pm

The CNAME is indeed the cause of this. Looking at Pi-hole it will block
www.edn.com.edgekey.net
if it is in a list used to block domains.

They use Whitelisting and that will match the domain you type and will ignore blocking and you will access that domain.

RouterOS DNS will resolve in one go, as it should do, to the last record and that is
www.edn.com.edgekey.net 
IP address so blocking still on IP address is possible. This is normal and Pi-hole is bending/cheating to have an escape route.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 3:58 pm

The CNAME is indeed the cause of this. Looking at Pi-hole it will block
www.edn.com.edgekey.net
if it is in a list used to block domains.

They use Whitelisting and that will match the domain you type and will ignore blocking and you will access that domain.

RouterOS DNS will resolve in one go, as it should do, to the last record and that is
www.edn.com.edgekey.net 
IP address so blocking still on IP address is possible. This is normal and Pi-hole is bending/cheating to have an escape route.
Thanks, but why is it not blocking by default (since the default here is set explicitly to blocking)?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 4:09 pm

Address list uses resolved IP addresses (repeats resolving after DNS record TTL expires so it keeps IP address semi-uptodate) ... since ultimate destination is some akamai cloud address, it could be same IP address is whitelisted for some other domain. If you want to block according to FQDN, you either have to use L7 firewall (very resource demanding and inefficient if connection is encrypted) or via DNS "fake records" (FQDN resolves to 127.0.0.1, can easily be bypassed e.g. by using DoH).
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 4:51 pm

Address list uses resolved IP addresses (repeats resolving after DNS record TTL expires so it keeps IP address semi-uptodate) ... since ultimate destination is some akamai cloud address, it could be same IP address is whitelisted for some other domain. If you want to block according to FQDN, you either have to use L7 firewall (very resource demanding and inefficient if connection is encrypted) or via DNS "fake records" (FQDN resolves to 127.0.0.1, can easily be bypassed e.g. by using DoH).
Is there in the RouerOS CLI a wildcard/regex format to find/list all addresses that contain the string "akamai" ?
Tried the following, but I think it's not correct syntax, and I'm not uptodate with CLI nor script commands:
/ip/firewall/address-list
find where address="*akamai*"
find where comment="*akamai*"
Update/FIX: I meant "print", not "find", like this:
/ip/firewall/address-list
print where address="*akamai*"
print where comment="*akamai*"
Last edited by mutluit on Mon Mar 29, 2021 1:31 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 5:10 pm

use:
 [find where address~"akamai"]
If you have the correct IP address it should be blocked, however as stated by mkx the addresses may vary due to the usage of could by Akamai determined by geographical and/or load based answers.

My resolve:
:put [:resolve www.edn.com]
104.73.32.103
Resolve via a site: 92.123.55.56

My earlier answer was not correct in this.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 5:26 pm

@msatter, as you already stated, with such cloud servers the underlying IP to a domain varies depending on the region/country etc.
I'm getting this:
:put [:resolve www.edn.com]
2.23.78.15
The question now is how to find the record that contains this IP, as it usually is not exactly the same IP but one where the IP is a member of it (ie. a subnet IP covered by the subnet mask).
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Possible error in DNS canonical name handling

Sun Mar 28, 2021 7:59 pm

If your router also provide the DNS for the clients then you put a static entry in the router DNS.

When a client does not use your router DNS then are almost out of luck. You have then to collect all IP addresses Akamie use for this domain and block these in the address list.

Who is online

Users browsing this forum: No registered users and 16 guests