DNS resolution for vpn servers running debian firewall

[gizurr 1]

Hi, I've been using ufw/gufw for a long time now to prevent leaks which works great after I followed worric's guide https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/?do=findComment&comment=5642

​However there's one drawback, which is that all IP's must be resolved prior to connecting because the DNS resolution doesn't get through the firewall. The problem with this is that you can't let it choose the best server for the area/region by resolving for instance gb.vpn.airdns.org. It seems that the best you can do is get a random selection from the list of servers. Is there a way around this? For example to only let that dns query through? or am I wrong somehow?

Any clarification is greatly appreciated!

​

 

Edit: Grammar

Edited ... by gizurr

[InactiveUser 188]

It is possible, with a bit of iptables pattern-matching trickery.
I have tried the following:
 

• ufw 0.34 (Mint 17) with an empty ruleset, all defaults set to "deny" (no connectivity whatsoever)
• a reachable DNS server in /etc/resolv.conf

• iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT
  

 

Then I tried DNS resolution:
dig +short google.com
as expected, no DNS resolution

dig +short airdns.org
as expected, no DNS resolution

dig +short gb.vpn.airdns.org

94.229.74.90

Voila! Pattern matched! I get an IP back!

 

You can permanently add iptables rules to ufw by editing the file:

 

/etc/ufw/before.rules

Add the following line somewhere to the end of the file, but before the very last "COMMIT" line:

 

-A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT

Finally, reload ufw:

 

ufw reload

 

 

 

Edit: Replaced the pattern "|03|vpn|06|airdns|03|org|" with "|03|vpn|06|airdns|03|org|00|" to rule out unwanted subdomain matches

Edit 2: Further improvement to the pattern, see gizurr's reply

 

If you make any changes to your firewall setup, test them thoroughly before relying on your new configuration.

You would probably want to make sure that openvpn, when connecting, replaces the original DNS server in /etc/resolv.conf and restores it when disconnecting.

 

Credit goes to: Corey's answer on stackoverflow

[gizurr 1]

Thanks for that great information! I was actually able to limit the matches as you suggested by adding a 0-byte at the end of the pattern:

 

-A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00|" --algo bm -j ACCEPT

 

We can even get stricter and only allow requests of type A (a host address):

3.2.2. TYPE values
TYPE fields are used in resource records.  Note that these types are a
subset of QTYPEs.

TYPE            value and meaning
A               1 a host address
NS              2 an authoritative name server
MD              3 a mail destination (Obsolete - use MX)
MF              4 a mail forwarder (Obsolete - use MX)
CNAME           5 the canonical name for an alias
SOA             6 marks the start of a zone of authority
MB              7 a mailbox domain name (EXPERIMENTAL)
MG              8 a mail group member (EXPERIMENTAL)
MR              9 a mail rename domain name (EXPERIMENTAL)
NULL            10 a null RR (EXPERIMENTAL)
WKS             11 a well known service description
PTR             12 a domain name pointer
HINFO           13 host information
MINFO           14 mailbox or mail list information
MX              15 mail exchange
TXT             16 text strings

Source: http://www.ietf.org/rfc/rfc1035.txt

 

By including those 2 bytes, which results in the following line for /etc/ufw/before.rules:

 

-A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT

Edit: Format Edited ... by gizurr

[rickjames 106]

Just download the config files with advanced + Resolved hosts in .ovpn file checked. Then no resolution is needed at connection time.

 

However It sounds like you're using the air client. If that's the case the network lock feature will make rules for you.

I only briefly looked at that firestarter guide but I don't see connection tracking in there anywhere. The air client uses basic connection tracking / states ect. Even the basic version is better than nothing.

 

I won't pretend to be familiar with these gui's as I'm a big believer in less is more. But after seeing the rules the air client makes, I wouldn't hesitate to run it. My network environment just won't work with it. If I could use it I would, if only for simplicity.

[zhang888 1066]

I am not really sure why to do all these workarounds, when you can call an easier solution.

First, {country}.vpn.airdns.org does not just return a random server, it returns the best server in each

300 seconds timeframe. I believe the DNS backend that Air uses, has some sort of load balancing that

queries the API in the backend.

 

Now let's get to the API.

iptables allows custom scripts to be executed, which means you can query the API directly to find the best

server. Under some circumstances, it might even find a better server for you than the dns resolution.

Those circumstances are when you are quering some ISP DNS servers that might cache records and so on.

[InactiveUser 188]

All valid points, especially if OP already uses Eddie.

 

One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:

 

iptables-save | grep conntr
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

[rickjames 106]

All valid points, especially if OP already uses Eddie.

 

One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:

 

iptables-save | grep conntr

-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

 

Thank you.

I was unaware it had that capability.

 

Does it install conntrack conntrackd libnetfilter-conntrack3 by default? I don't have any machines running ufw atm. Sorry for being lazy lol. Its just easier to ask than setup a vm.

[InactiveUser 188]

rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.

conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.

 

Edit:

ufw uses state-tracking as a fallback. On my conntrack-less Arch:

iptables-save | grep state
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
 

[rickjames 106]

rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.

conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.

Thanks for the info @ ubuntu. I never really run it but its good to know at least someone's including it by default lol. I mostly run minimal setups myself and none ever have it installed.

 

You're 100% correct about conntrackd/tools. I've just become used to running/installing conntrackd /tools for running conntrack -E and -F and friends. Its helpful for tuning the state timings in conjunction with table logging. When doing local 'smash' testing very low timeouts are a necessity.

 

Then stacking conntrack + rp_filter, martians and a few others = win