A reliable FQDN-based outbound whitelist solution

  • Hello.  I administrate a small Windows Server 2008 AD network.  I wish to maximize security by blocking all outbound packets excepting for approved destinations.  I have 100~200 FQDNs to whitelist.  These are our trusted sites on HTTPS.  My purpose is to harden the network against penetration.  Only an outbound whitelist can offer security beyond the point where foreign code has run.  I believe in assuming that unforeseen vulnerabilities are a fact of life.

    I have tried to do this with a Dell SonicWall firewall/router, and found that the DNS cache of client browsers was frequently in dischord with the SonicWall's, such that we momentarily lost access to some sites daily- this despite setting DNS cache TTL on clients very low via Group Policy, and doing everything in my power to speed up the SonicWall's DNS cache update frequency, too.  I have thought about the problem and believe there is a reliable solution.  I might benefit from suggestions of those who are familiar with the flexibility of pfSense aliases.

    The idea I'm working on right now has two caveats, first that there are two local DNS resolvers with TTL values on different ends of a spectrum, and that the client's DNS cache TTL is set somewhere in between these values; second, that the firewall is configurable to allow the same list of FQDNs twice independently, one from each local DNS resolver, allowing two sets of resolved IPs for the same common set of FQDNs, where one is updated at a maximum frequency and the other at a minimum.  In this way, for any FQDN, either one or the other allowed IP will be tried by the client (the clients will always query the more up-to-date of the two resolvers).

    It looks like alias type URL will enable me to manage something along these lines.  I will try to use a simple HTTP server written in Perl with POE::Component::Server::TCP to feed pfSense a realtime-generated list of less-up-to-date IPs.  I believe I read somewhere that you can tune the rate at which alias objects are refreshed.

    Please provide me with insight into aspects of my rationale which I have overlooked, and thoughts on the feasibility of the solution I'm trying to implement!

  • LAYER 8 Global Moderator

    can't you just do this in unbound already..  Something like

    local-zone: "." redirect
    local-data: ". IN A"

    this would block everthing, then for the domains you want to resolve just set them to transparent

    local-zone: "pfsense.org" transparent
    local-zone: "somedomain.com" transparent

    doing a whitelist is PITA to be sure.. especially when the sites your allowing access use other domains for their images, scripts, etc. etc..  But pretty sure this would be the quickest way to do it..

    I would prob just unbound in forwarder mode if you were going to do something like this…

  • Yes, doing a whitelist is PITA.  I had about 12 hours into configuring it, and 12 hours into testing it in a real environment.  The most apparent breakdown was with Exchange 365, because it is hosted on a massive data center like the Akamai network, and its IP addresses change all the time.  Exchange would go down for 15 minutes or so at a time, about once every 48 hours.

Log in to reply