TLD allow - how to DNSBL whitelist local domain without a tld?
-
Hello all,
Docker and docker compose is integral to much of my work.
Sometimes a docker compose references a local server address like:
http://trivy-server:9992, wherebytrivy-serveris the name of the service and is also the hostname. This can not always be changed or altered unfortunately.When
TLD Allowis selected withinDNSBLthan thosetrivy-serverservices will be blocked. Whitelisting is not possible due to the missing TLD (hence no TLD)...
- pfBlockerNG: Is this a feature, a bug or ?
- Is there another proper solution?
- Configure pfSense or pfBlockerNG differently?
- Change some settings in docker or Ubuntu node?
Only solution for now is to uncheck the
TLD Allowoption, which from a security standpoint is not feasible.See for example:
https://github.com/openclarity/openclarity/tree/main/installation/docker -
@rle said in TLD allow - how to DNSBL whitelist local domain without a tld?:
pfBlockerNG: Is this a feature, a bug or ?
Blocking a domain without tld ?
That more a "syntax error"@rle said in TLD allow - how to DNSBL whitelist local domain without a tld?:
Is there another proper solution?
Regex blocking would work here.
and populate the "Python Regex List".
^trivy-server?[_.-] #test RGX@rle said in TLD allow - how to DNSBL whitelist local domain without a tld?:
Only solution for now is to uncheck the TLD Allow option, which from a security standpoint is not feasible.
?
I never had that option checked.
I've a security issue now ?
-
@rle said in TLD allow - how to DNSBL whitelist local domain without a tld?:
Is there another proper solution?
yeah use a fqdn (fully qualified domain name)
Sometimes a docker compose references
Why can you not edit the compose file to use a fqdn and port?
-
@Gertjan Thanks for your reply. Appreciated. I will look into the
Regex Blockingfeature.Regarding 'TLD Allow' and that 'you presumably' have a security issue. It totally depends on what criteria you use for security. I have only a very minimal and a select set of TLDs that is allowed in my network.
I, for myself, enabled this feature to minimize any possible exposure and mitigation to domains hosting malware and worse. They are mostly hosted on the more unknown or non-typical TLD's.
-
@johnpoz said in TLD allow - how to DNSBL whitelist local domain without a tld?:
@rle said in TLD allow - how to DNSBL whitelist local domain without a tld?:
Is there another proper solution?
yeah use a fqdn (fully qualified domain name)
Sometimes a docker compose references
Why can you not edit the compose file to use a fqdn and port?
I normally use FQDN whenever I can, but sometimes you just want to minimally edit a docker compose file and really focus on the software package on hand to test. Before diving deep into the software application.
Communication of the software is thing that I investigate. I go as far to rebuild the entire docker images if I see fit. It depends and is always phased into stages. I'm a DevSecOps engineer.
Also there have been cases that an unintentional feature (bugs or design decisions and so on) brakes software (packages) in an unclear way, you do not always want pfSense/HAProxy/FQDN as the middle man. Just as is.
-
@rle well not understanding what problem your wanting to solve then.. Via dns your not going to be able to resolve trivy-server, the only way to resolve that is via it device talking to itself, ie its own name - or via a broadcast, or something like mdns which would be trivy-server.local and the device itself answering.
In what scenario would asking for trivy-server of dns work, since it is not a valid dns query - so how would you allow it or not allow it in pfblocker in the first place.
