DNS Queries Using API - BIND9

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

DNS Queries Using API - BIND9

blason16
Hi Folks,

I am seeking solution for our below problem and wanted to know if any open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.

Is there any solution using -
  • API by which we can route the queries for user who are on Internet
  • Or any client utility which can be installed on user's desktop/laptop where we can embed our BIND RPZ server and then route the queries to internal one using NAT?
  • Or any other alternative community can suggest?

This is just like Cisco Umbrella or any other Paid DNS firewall solutions but seeking if we can have any open source option?

Thanks & Regards
Blason R

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Reindl Harald


Am 11.05.20 um 06:14 schrieb Blason R:

> I am seeking solution for our below problem and wanted to know if any
> open source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current
> situation since all users are working from home we are not able to route
> their queries to internal DNS servers. Well, when they are on VPN
> definitely queries are then passed through internal DNS server but they
> left open when not connected to VPN.
>
> Is there any solution using -
>
>   * API by which we can route the queries for user who are on Internet
>   * Or any client utility which can be installed on user's
>     desktop/laptop where we can embed our BIND RPZ server and then route
>     the queries to internal one using NAT?
>   * Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Bind-Users forum mailing list
In reply to this post by blason16
Hi Blason,

There are open source clients for iOS (DNSCloak) and Android (Intra) which use DoH (you will need to install a DoH proxy) but I’m not aware about free clients for Mac/Windows/Linux (may be because they have embedded clients which can be configured to use any 3rd party DNS :). 
The main issue that bind does’t provide an authentication method. So in any case you somehow should manage the access to the DNS server vice versa it will became open resolver and will be used for DDoS attacks.

I would recommend you a few options here:
- Use a trial for any “paid” solutions. E.g. Infoblox offers 90 days free trial - i may be enough to pass the WFH stage;
- Require VPN back to your HQ and provision to automatically establish them;
- Install bind on these laptops and push RPZ feeds directly to them (zone transfer can be authenticated by using TSIG Keys). You may see issues if the feeds size  >1m rules.
- Provide your employees VMs (if they have servers a home) or even Raspberry Pi to protect the whole home network (actually it is important). On my ioc2rpz community (https://ioc2rpz.net) you can take a look on RpiDNS installation script. It installs ICS Bind and provision my community RPZ feeds (you may replace it by your feeds), OpenResty for admin interface and a walled garden page + provision RSyslog. On Raspberry Pi Zero the installation takes about 10 minutes (demo video - https://www.youtube.com/watch?time_continue=2&v=942yKOGAwbU&feature=emb_logo).


BR,
Vadim
On May 10, 2020, at 21:14, Blason R <[hidden email]> wrote:

Hi Folks,

I am seeking solution for our below problem and wanted to know if any open source option can help us here?
We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN.

Is there any solution using -
  • API by which we can route the queries for user who are on Internet
  • Or any client utility which can be installed on user's desktop/laptop where we can embed our BIND RPZ server and then route the queries to internal one using NAT?
  • Or any other alternative community can suggest?

This is just like Cisco Umbrella or any other Paid DNS firewall solutions but seeking if we can have any open source option?

Thanks & Regards
Blason R
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Daniel Stirnimann


On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> The main issue that bind does’t provide an authentication method. So in
> any case you somehow should manage the access to the DNS server vice
> versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@.../dns-query


Daniel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Bind-Users forum mailing list
Good idea. It may work. I’m using Intra for 1.5 years (with my DNS) and actually didn’t try it likely my DoH “old” proxy probably doesn’t support it.
With nginx it should be possible if these open source clients support it.
For Win/Mac/Linux there should be some open source DoH clients (backup will be using it just in browsers).

Vadim

> On May 10, 2020, at 23:26, Daniel Stirnimann <[hidden email]> wrote:
>
>
>
> On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
>> The main issue that bind does’t provide an authentication method. So in
>> any case you somehow should manage the access to the DNS server vice
>> versa it will became open resolver and will be used for DDoS attacks.
>
> If you were to use DoH, you could use Basic Authentication. The DoH URL
> you could configure on your client systems could be something like this:
>
> https://username:password@.../dns-query
>
>
> Daniel

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

blason16
In reply to this post by Reindl Harald
I can do that - But

  1. How can I control unauthorized use?
  2. Since one its populated over Internet it can be used by any one right?
  3. Plus from user end they can change the DNS to avoid protection.

On Mon, May 11, 2020 at 11:01 AM Reindl Harald <[hidden email]> wrote:


Am 11.05.20 um 06:14 schrieb Blason R:
> I am seeking solution for our below problem and wanted to know if any
> open source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current
> situation since all users are working from home we are not able to route
> their queries to internal DNS servers. Well, when they are on VPN
> definitely queries are then passed through internal DNS server but they
> left open when not connected to VPN.
>
> Is there any solution using -
>
>   * API by which we can route the queries for user who are on Internet
>   * Or any client utility which can be installed on user's
>     desktop/laptop where we can embed our BIND RPZ server and then route
>     the queries to internal one using NAT?
>   * Or any other alternative community can suggest?

when you are in the position to use something like this you can also
tell your users they have to configure their machines for using a public
dns you are hosting and you are done

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

blason16
In reply to this post by Daniel Stirnimann
Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <[hidden email]> wrote:


On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> The main issue that bind does’t provide an authentication method. So in
> any case you somehow should manage the access to the DNS server vice
> versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@.../dns-query


Daniel

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

blason16
Thats a nice starting point -


But still looking for any client utility so that users can not shutdown or can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <[hidden email]> wrote:
Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <[hidden email]> wrote:


On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> The main issue that bind does’t provide an authentication method. So in
> any case you somehow should manage the access to the DNS server vice
> versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@.../dns-query


Daniel

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Bind-Users forum mailing list
If your users has admins permissions you probably will not find any open source tool which support that. For restricted accounts on Win - create policies.

BR,
Vadim
On May 10, 2020, at 23:52, Blason R <[hidden email]> wrote:

Thats a nice starting point -


But still looking for any client utility so that users can not shutdown or can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <[hidden email]> wrote:
Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <[hidden email]> wrote:


On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> The main issue that bind does’t provide an authentication method. So in
> any case you somehow should manage the access to the DNS server vice
> versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@.../dns-query


Daniel


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

blason16
Nah those are regular users - And thinking to work on DoT Proxy and force that through GPO for browsers.

On Mon, May 11, 2020 at 12:27 PM Vadim Pavlov <[hidden email]> wrote:
If your users has admins permissions you probably will not find any open source tool which support that. For restricted accounts on Win - create policies.

BR,
Vadim
On May 10, 2020, at 23:52, Blason R <[hidden email]> wrote:

Thats a nice starting point -


But still looking for any client utility so that users can not shutdown or can not suspend the service

On Mon, May 11, 2020 at 12:18 PM Blason R <[hidden email]> wrote:
Hmm- Any docs on configuring DOH Proxy?

On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann <[hidden email]> wrote:


On 11.05.20 08:18, Vadim Pavlov via bind-users wrote:
> The main issue that bind does’t provide an authentication method. So in
> any case you somehow should manage the access to the DNS server vice
> versa it will became open resolver and will be used for DDoS attacks.

If you were to use DoH, you could use Basic Authentication. The DoH URL
you could configure on your client systems could be something like this:

https://username:password@.../dns-query


Daniel


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

Petr Mensik
In reply to this post by blason16
Hi,

AFAIK BIND is supported also on Windows. Would it be possible just to
install BIND service on local machine and configure it to download DLZ
zone from your servers. It could authenticate using ddns keys. And
forward would be also straightforward. As a bonus, they would get local
validating resolver.

I think that would be quite satisfying for their security, but would
prevent you from watching them too close. I think that would be an
advantage in sort, especially when they are in "private" mode.

Of course some scripts to configure the installation would be required,
because ordinary user does not want to configure BIND. Some smart
installer might be enough.

Regards,
Petr

On 5/11/20 6:14 AM, Blason R wrote:

> Hi Folks,
>
> I am seeking solution for our below problem and wanted to know if any open
> source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current
> situation since all users are working from home we are not able to route
> their queries to internal DNS servers. Well, when they are on VPN
> definitely queries are then passed through internal DNS server but they
> left open when not connected to VPN.
>
> Is there any solution using -
>
>    - API by which we can route the queries for user who are on Internet
>    - Or any client utility which can be installed on user's desktop/laptop
>    where we can embed our BIND RPZ server and then route the queries to
>    internal one using NAT?
>    - Or any other alternative community can suggest?
>
>
> This is just like Cisco Umbrella or any other Paid DNS firewall solutions
> but seeking if we can have any open source option?
>
> Thanks & Regards
> Blason R
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNS Queries Using API - BIND9

blason16
Hmmm nice suggestion and appreciate that.

But it would too much for normal user looking for more simpler manner. Any way if no option then will have to live with vpn option for now.

On Mon, 11 May 2020, 22:34 Petr Menšík, <[hidden email]> wrote:
Hi,

AFAIK BIND is supported also on Windows. Would it be possible just to
install BIND service on local machine and configure it to download DLZ
zone from your servers. It could authenticate using ddns keys. And
forward would be also straightforward. As a bonus, they would get local
validating resolver.

I think that would be quite satisfying for their security, but would
prevent you from watching them too close. I think that would be an
advantage in sort, especially when they are in "private" mode.

Of course some scripts to configure the installation would be required,
because ordinary user does not want to configure BIND. Some smart
installer might be enough.

Regards,
Petr

On 5/11/20 6:14 AM, Blason R wrote:
> Hi Folks,
>
> I am seeking solution for our below problem and wanted to know if any open
> source option can help us here?
> We have our internal DNS RPZ firewall built on BIND9. Due to the current
> situation since all users are working from home we are not able to route
> their queries to internal DNS servers. Well, when they are on VPN
> definitely queries are then passed through internal DNS server but they
> left open when not connected to VPN.
>
> Is there any solution using -
>
>    - API by which we can route the queries for user who are on Internet
>    - Or any client utility which can be installed on user's desktop/laptop
>    where we can embed our BIND RPZ server and then route the queries to
>    internal one using NAT?
>    - Or any other alternative community can suggest?
>
>
> This is just like Cisco Umbrella or any other Paid DNS firewall solutions
> but seeking if we can have any open source option?
>
> Thanks & Regards
> Blason R
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users