fix: dns over tcp bypasses domain filtering (#175)

- Fixing a bug where it was possible to bypass the domain filtering when using DNS over TCP. - Also showing the untrusted DNS server in annotations

Author: fallard84

action/dist/post.js

@@ -19914,7 +19914,7 @@ async function getOutboundConnections(){
  );
  console.log("Agent ready timestamp: ", agentReadyTimestamp);
  const tetragonLogFile = await import_promises2.default.open(TETRAGON_EVENTS_LOG_PATH);
- const functionsToTrack = ["tcp_connect"];
+ const functionsToTrack = ["tcp_connect", "udp_sendmsg"];
  for await (const line of tetragonLogFile.readLines()){
  const processEntry = JSON.parse(line.trimEnd())?.process_kprobe;
  if (processEntry?.["policy_name"] !== "connect"){

action/dist/post.js.map

@@ -78,7 +78,7 @@ async function getOutboundConnections(): Promise<TetragonLog[]>{
 
 consttetragonLogFile=awaitfs.open(TETRAGON_EVENTS_LOG_PATH);
 
-constfunctionsToTrack=["tcp_connect"];
+constfunctionsToTrack=["tcp_connect","udp_sendmsg"];
 
 forawait(constlineoftetragonLogFile.readLines()){
 constprocessEntry=JSON.parse(line.trimEnd())?.process_kprobe;

action/src/post.ts

@@ -15,6 +15,7 @@ spec:
 operator: "NotDAddr"
 values:
  - 127.0.0.1
+ - 127.0.0.53
  - call: "udp_sendmsg"
 syscall: false
 args:
@@ -26,22 +27,11 @@ spec:
 operator: "NotDAddr"
 values:
  - 127.0.0.1
+ - 127.0.0.53
  - call: "udp_recvmsg"
 syscall: false
 args:
  - index: 0
 type: "sock"
  - index: 2
 type: "size_t"
-# - call: "tcp_close"
-# syscall: false
-# args:
-# - index: 0
-# type: "sock"
-# - call: "tcp_sendmsg"
-# syscall: false
-# args:
-# - index: 0
-# type: "sock"
-# - index: 2
-# type: int

action/tetragon/connect.yml

@@ -15,7 +15,7 @@ import (
 
 var (
 blocking=false
-defaultDomains= []string{"github.com", "api.github.com", "*.actions.githubusercontent.com", "results-receiver.actions.githubusercontent.com", "*.blob.core.windows.net"}
+defaultDomains= []string{"github.com", "api.github.com", "*.actions.githubusercontent.com", "results-receiver.actions.githubusercontent.com", "*.blob.core.windows.net", "*.githubapp.com"}
 defaultIps= []string{"168.63.129.16", "169.254.169.254", "127.0.0.1"}
 defaultDNSServers= []string{"127.0.0.53"}
 )
@@ -27,6 +27,7 @@ const (
 EGRESS_POLICY_AUDIT="audit"
 DNS_POLICY_ALLOWED_DOMAINS_ONLY="allowed-domains-only"
 DNS_POLICY_ANY="any"
+DNS_PORT=layers.TCPPort(53)
 )
 
 typeAgentConfigstruct{
@@ -63,6 +64,7 @@ func NewAgent(config AgentConfig) *Agent{
 netInfoProvider: config.NetInfoProvider,
 filesystem: config.FileSystem,
  }
+
 agent.init(config)
 returnagent
 }
@@ -153,7 +155,7 @@ func (a *Agent) loadAllowedIp(ips []string){
 a.addIpToLogs("allowed", "unknown", ip)
 continue
  }
-fmt.Printf("Failed to parse IP: %s. Skipping.\n", ip)
+fmt.Printf("failed to parse ip: %s. skipping.\n", ip)
  }
 }
 
@@ -164,13 +166,13 @@ func (a *Agent) addToFirewall(ips map[string]bool, cidr []*net.IPNet) error{
 forip:=rangeips{
 err:=a.firewall.AddIp(ip)
 iferr!=nil{
-returnfmt.Errorf("Error adding %s to firewall: %v\n", ip, err)
+returnfmt.Errorf("error adding %s to firewall: %v", ip, err)
  }
  }
 for_, c:=rangecidr{
 err:=a.firewall.AddIp(c.String())
 iferr!=nil{
-returnfmt.Errorf("Error adding %s to firewall: %v\n", c.String(), err)
+returnfmt.Errorf("error adding %s to firewall: %v", c.String(), err)
  }
  }
 returnnil
@@ -228,22 +230,19 @@ func (a *Agent) loadAllowedDNSServers() error{
 }
 
 funcgetDestinationIP(packet gopacket.Packet) (string, error){
-ipLayer:=packet.Layer(layers.LayerTypeIPv4)
-ifipLayer==nil{
-ipLayer=packet.Layer(layers.LayerTypeIPv6)
- }
-ifipLayer==nil{
-return"", fmt.Errorf("Failed to get IP layer")
+netLayer:=packet.NetworkLayer()
+ifnetLayer==nil{
+return"", fmt.Errorf("failed to get network layer")
  }
-ip, _:=ipLayer.(*layers.IPv4)
-ifip==nil{
-ip6, _:=ipLayer.(*layers.IPv6)
-ifip6==nil{
-return"", fmt.Errorf("Failed to get IP layer")
- }
-returnip6.DstIP.String(), nil
+
+switchv:=netLayer.(type){
+case*layers.IPv4:
+returnv.DstIP.String(), nil
+case*layers.IPv6:
+returnv.DstIP.String(), nil
+default:
+return"", fmt.Errorf("unknown network layer type")
  }
-returnip.DstIP.String(), nil
 }
 
 funcextractDomainFromSRV(domainstring) string{
@@ -254,25 +253,18 @@ func extractDomainFromSRV(domain string) string{
 returnre.ReplaceAllString(domain, "")
 }
 
-func (a*Agent) processDNSQuery(packet gopacket.Packet) uint8{
-dnsLayer:=packet.Layer(layers.LayerTypeDNS)
-dns, _:=dnsLayer.(*layers.DNS)
+func (a*Agent) processDNSLayer(dns*layers.DNS) uint8{
+if!dns.QR{
+returna.processDNSQuery(dns)
+ }
+returna.processDNSResponse(dns)
+}
+
+func (a*Agent) processDNSQuery(dns*layers.DNS) uint8{
 for_, q:=rangedns.Questions{
 domain:=string(q.Name)
 fmt.Printf("DNS Question: %s %s\n", q.Name, q.Type)
 
-// making sure the DNS query is using a trusted DNS server
-destinationIP, err:=getDestinationIP(packet)
-iferr!=nil{
-fmt.Println("Failed to get destination IP")
-a.addIpToLogs("blocked", domain, "unknown")
-returnDROP_REQUEST
- }
-if!a.allowedDNSServers[destinationIP]{
-fmt.Printf("%s -> Blocked DNS Query. Untrusted DNS server %s\n", domain, destinationIP)
-a.addIpToLogs("blocked", domain, "unknown")
-returnDROP_REQUEST
- }
 ifq.Type==layers.DNSTypeSRV{
 originalDomain:=domain
 domain=extractDomainFromSRV(domain)
@@ -345,11 +337,10 @@ func (a *Agent) processDNSTypeSRVResponse(domain string, answer *layers.DNSResou
  }
 }
 
-func (a*Agent) processDNSResponse(packet gopacket.Packet) uint8{
-dnsLayer:=packet.Layer(layers.LayerTypeDNS)
-dns, _:=dnsLayer.(*layers.DNS)
+func (a*Agent) processDNSResponse(dns*layers.DNS) uint8{
 domain:=string(dns.Questions[0].Name)
 for_, answer:=rangedns.Answers{
+fmt.Printf("DNS Answer: %s %s %s\n", answer.Name, answer.Type, answer.IP)
 ifanswer.Type==layers.DNSTypeA{
 a.processDNSTypeAResponse(domain, &answer)
  } elseifanswer.Type==layers.DNSTypeCNAME{
@@ -365,21 +356,108 @@ func (a *Agent) processDNSResponse(packet gopacket.Packet) uint8{
 returnACCEPT_REQUEST
 }
 
-func (a*Agent) ProcessPacket(packet gopacket.Packet) uint8{
-ifdnsLayer:=packet.Layer(layers.LayerTypeDNS); dnsLayer!=nil{
+func (a*Agent) processDNSPacket(packet gopacket.Packet) uint8{
+dnsLayer:=packet.Layer(layers.LayerTypeDNS)
+dns, _:=dnsLayer.(*layers.DNS)
+for_, q:=rangedns.Questions{
+fmt.Printf("DNS Question: %s %s\n", q.Name, q.Type)
+ }
 
-dns, _:=dnsLayer.(*layers.DNS)
-for_, q:=rangedns.Questions{
-fmt.Printf("DNS Question: %s %s\n", q.Name, q.Type)
+domain:=string(dns.Questions[0].Name)
+// if we are blocking DNS queries, intercept the DNS queries and decide whether to block or allow them
+if!dns.QR{
+// making sure the DNS query is using a trusted DNS server
+destinationIP, err:=getDestinationIP(packet)
+iferr!=nil{
+fmt.Printf("Failed to get destination IP: %v\n", err)
+a.addIpToLogs("blocked", domain, "unknown")
+returnDROP_REQUEST
  }
-// if we are blocking DNS queries, intercept the DNS queries and decide whether to block or allow them
-ifa.blockDNS&&!dns.QR{
-returna.processDNSQuery(packet)
- } elseifdns.QR{
-returna.processDNSResponse(packet)
+if!a.allowedDNSServers[destinationIP]{
+fmt.Printf("%s -> Blocked DNS Query. Untrusted DNS server %s\n", domain, destinationIP)
+a.addIpToLogs("blocked", domain, destinationIP)
+returnDROP_REQUEST
  }
  }
-returnACCEPT_REQUEST
+
+// if we are not blocking DNS queries, just accept the query request
+if!a.blockDNS&&!dns.QR{
+returnACCEPT_REQUEST
+ }
+returna.processDNSLayer(dns)
+}
+
+func (a*Agent) processDNSOverTCPPayload(payload []byte) uint8{
+// Extract message length from first 2 bytes
+// - First byte shifted left 8 bits + second byte
+// - Creates 16-bit length prefix
+messageLen:=int(payload[0])<<8|int(payload[1])
+ifmessageLen==0||len(payload) <messageLen+2{
+fmt.Println("Invalid DNS over TCP payload")
+returnDROP_REQUEST
+ }
+
+// We attempt to decode the DNS over TCP payload
+// The only way we can accept the request is if the DNS query is contained within a single TCP packet payload
+dns:=&layers.DNS{}
+err:=dns.DecodeFromBytes(payload[2:messageLen+2], gopacket.NilDecodeFeedback)
+iferr!=nil{
+fmt.Println("Failed to decode DNS over TCP payload", err)
+returnDROP_REQUEST
+ }
+returna.processDNSLayer(dns)
+}
+
+func (a*Agent) processTCPPacket(packet gopacket.Packet) uint8{
+tcpLayer:=packet.Layer(layers.LayerTypeTCP)
+tcp, _:=tcpLayer.(*layers.TCP)
+dstPort, srcPort, payload:=tcp.DstPort, tcp.SrcPort, tcp.Payload
+
+// Validate DNS server IP
+ifdstPort==DNS_PORT{
+destinationIP, err:=getDestinationIP(packet)
+iferr!=nil{
+fmt.Printf("Failed to get destination IP: %v\n", err)
+a.addIpToLogs("blocked", "unknown", "unknown")
+returnDROP_REQUEST
+ }
+if!a.allowedDNSServers[destinationIP]{
+fmt.Printf("%s -> Blocked DNS Query. Untrusted DNS server %s\n", "unknown", destinationIP)
+a.addIpToLogs("blocked", "unknown", destinationIP)
+returnDROP_REQUEST
+ }
+ }
+
+ifdstPort!=DNS_PORT&&srcPort!=DNS_PORT{
+fmt.Println("Warning: Destination and source port are not DNS ports. Dropping request")
+returnDROP_REQUEST
+ }
+
+// if we are not blocking DNS queries, just accept the query request
+if!a.blockDNS&&dstPort==DNS_PORT{
+returnACCEPT_REQUEST
+ }
+
+iflen(payload) ==0{
+// We only accept DNS over TCP packets with no payload since they are only used for initiating a connection
+returnACCEPT_REQUEST
+ }
+
+// Now we have a payload in the TCP packet, we need to make sure it is a valid DNS over TCP payload and the DNS query is for a known domain. We don't want to exfiltrate data over DNS over TCP
+returna.processDNSOverTCPPayload(payload)
+
+}
+
+func (a*Agent) ProcessPacket(packet gopacket.Packet) uint8{
+ifdnsLayer:=packet.Layer(layers.LayerTypeDNS); dnsLayer!=nil{
+returna.processDNSPacket(packet)
+ }
+// check dns over tcp
+iftcpLayer:=packet.Layer(layers.LayerTypeTCP); tcpLayer!=nil{
+returna.processTCPPacket(packet)
+ }
+fmt.Println("Warning: Packet is not DNS or TCP. Dropping request, this shouldn't be happening.")
+returnDROP_REQUEST
 }
 
 func (a*Agent) disableSudo() error{

agent/agent.go

@@ -1 +1 @@
-9dc0fa0203ab625fa501ac1728aef69a5424267a7839c5fee9bf0d85e459ac59agent
+72fdea56ef365e362fd5ae69c1d5866fc4636db4e8e4aa10855d158d3f5e439fagent

agent/agent.sha256

@@ -38,6 +38,8 @@ grep --quiet 'Blocked DNS request to www.bing.com from unknown process' $POST_WA
 grep --quiet 'Blocked request to 93.184.215.14:443 from processs `/usr/bin/curl https://93.184.215.14 --output /dev/null'$POST_WARNINGS_FILEPATH
 grep --quiet 'Blocked DNS request to registry-1.docker.io from unknown process'$POST_WARNINGS_FILEPATH
 grep --quiet 'Blocked DNS request to www.wikipedia.org from unknown process'$POST_WARNINGS_FILEPATH
-grep --quiet 'Blocked DNS request to www.google.com from unknown process'$POST_WARNINGS_FILEPATH
+grep --quiet 'Blocked DNS request to tcp.example.com from unknown process'$POST_WARNINGS_FILEPATH
+grep --quiet 'Blocked request to www.google.com (8.8.8.8:53) from process `/usr/bin/dig @8.8.8.8 www.google.com`'$POST_WARNINGS_FILEPATH
+grep --quiet 'Blocked request to www.google.com (8.8.8.8:53) from process `/usr/bin/dig @8.8.8.8 www.google.com +tcp`'$POST_WARNINGS_FILEPATH
 
 echo"Tests passed successfully"

test/block.sh

@@ -1,6 +1,7 @@
 process.env["INPUT_EGRESS-POLICY"]="block";
 process.env["INPUT_DNS-POLICY"]="allowed-domains-only";
 process.env["INPUT__LOG-DIRECTORY"]="/tmp/gha-agent/logs";
+process.env["INPUT_ENABLE-SUDO"]="true";
 
 process.env["INPUT_ALLOWED-IPS"]=`
 10.0.0.0/24

test/input.js

@@ -5,6 +5,21 @@ if timeout 5 dig example.com; then
 exit 1
 fi
 
+if timeout 5 dig tcp.example.com +tcp;then
+echo'Expected 'dig tcp.example.com +tcp' to fail, but it succeeded'
+exit 1
+fi
+
+if! timeout 5 dig www.google.com;then
+echo'Expected 'dig www.google.com' to succeed, but it failed'
+exit 1
+fi
+
+if! timeout 5 dig www.google.com +tcp;then
+echo'Expected 'dig www.google.com +tcp' to succeed, but it failed'
+exit 1
+fi
+
 if timeout 5 dig www.wikipedia.org;then
 echo'Expected 'dig www.wikipedia.org' to fail, but it succeeded'
 exit 1
@@ -14,3 +29,8 @@ if timeout 5 dig @8.8.8.8 www.google.com; then
 echo'Expected 'dig @8.8.8.8 www.google.com' to fail, but it succeeded'
 exit 1
 fi
+
+if timeout 5 dig @8.8.8.8 www.google.com +tcp;then
+echo'Expected 'dig @8.8.8.8 www.google.com +tcp' to fail, but it succeeded'
+exit 1
+fi