DNS based policy for egress

Question

DNS based policy for egress

GrigoriyMikhalkin opened this issue 4 years ago · 10 comments

Support DNS based policies for egress. Similar to DNS based policies in cilium.
As part of the solution we also need to implement DNS proxy.

Answer 1 · 2021-04-17T12:31:18.000Z

There is already another implementation which acts as a dns proxy and put the entries into a ipset:

Answer 2 · 2021-04-17T14:46:10.000Z

After reading nftables documentation i think we can not use ipset, instead nft sets/maps/verdict maps must be used. We already use the in the accounting logic. General approach is still the same.

see: http://wiki.nftables.org/wiki-nftables/index.php/Sets

Answer 3 · 2021-04-17T15:42:29.000Z

Nice hint to nadoo/glider! We really must capture&cache all DNS traffic. Not only queries that target the current set of toFQDNs of all ClusterwideNetworkPolicies. In a running setup we want to be able to change those rules and get them applied immediately and don't want to wait for DNS requests coming by (with systemd-resolved and CoreDNS in Kubernetes we have two "caches").

Answer 4 · 2021-04-19T08:42:50.000Z

So we can have architecture like this:

CWNP Controller <--- reads DNS entries from cache --- DNS Cache <--- writes DNS data to cache --- DNS Proxy

Where DNS Proxy is based on glider. It monitors and caches all DNS data in DNS Cache. And then CWNP controller, when it receives resource with toFQDN field, looks up entries for domain names in DNS Cache. One problem is with matchPatterns -- it looks like the only way in that case is to do a brute search for domain names(i.e. iterate over all entries in DNS Cache).

Answer 5 · 2021-04-19T08:53:20.000Z

I can also create named sets via DNS Proxy(probably will unload controller to some extent). But still, i need to store associations to these named sets in DNS Cache(because set names are very limited, for example no longer than 16 chars). And then tie them to rules in CWNP Controller.

Answer 6 · 2021-04-19T09:59:32.000Z

Cilium uses miekg/dns, which, IMO, looks much simpler than glider.

Also, cilium blocks DNS requests in proxy. Would it be redundant in our case?

Answer 7 · 2021-04-19T10:15:30.000Z

So we can have architecture like this:
CWNP Controller <--- reads DNS entries from cache --- DNS Cache <--- writes DNS data to cache --- DNS Proxy
Where DNS Proxy is based on glider. It monitors and caches all DNS data in DNS Cache. And then CWNP controller, when it receives resource with toFQDN field, looks up entries for domain names in DNS Cache. One problem is with matchPatterns -- it looks like the only way in that case is to do a brute search for domain names(i.e. iterate over all entries in DNS Cache).

Cilium does the same: https://github.com/cilium/cilium/blob/641c0f9b3072a014c9541ecaa4e00a2b24c98d97/pkg/fqdn/cache.go#L425

Answer 8 · 2022-07-07T12:08:45.000Z

Let's make an appoint for reviewing this one please. @majst01 Can you maybe schedule something in the next time when you think you have some time left? It would be so nice to finish this up...

Answer 9 · 2022-07-07T12:11:09.000Z

Let's make an appoint for reviewing this one please. @majst01 Can you maybe schedule something in the next time when you think you have some time left? It would be so nice to finish this up...

Sure, lets schedule for next week

Answer 10 · 2022-11-30T14:17:41.000Z

done with #82