Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Ahead-of-time DNS lookup for rules with domains #1171

Open
ciandonovan opened this issue Aug 15, 2024 · 0 comments
Open

[Feature Request] Ahead-of-time DNS lookup for rules with domains #1171

ciandonovan opened this issue Aug 15, 2024 · 0 comments
Labels
feature a whole new feature

Comments

@ciandonovan
Copy link

Summary:

Some applications don't use typical DNS mechanisms to resolve domains[1], and so their IPs are not mapped by OpenSnitch.

Reverse DNS on all destination IP addresses is not practical or reliable, however a user's rules will only have a finite amount of domains/hosts listed. Each of these could be queried through DNS, and re-queried regularly according to the TTL. These mappings would also be cached along with the existing method of inspecting user application DNS query responses, and the same policies applied as normal.

This method is used in most commercial firewalls that employ whitelisting based on domains.

[1] Tailscale can use its own bootsrapDNS mechanism to request domain/IP mappings from a central server over HTTPS in certain scenarios. These of course are not registered by OpenSnitch, and domain-name based rules fail to match.
@ciandonovan ciandonovan added the feature a whole new feature label Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature a whole new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ciandonovan