Merge pull request #102 from step-security/feature-99

Add sinkhole IP address

Author: varunsh-coder

dnsproxy.go

@@ -39,6 +39,8 @@ type Answer struct {
 	Data string `json:"data"`
 }
 
+const StepSecuritySinkHoleIPAddress = "54.185.253.63"
+
 func (proxy *DNSProxy) getResponse(requestMsg *dns.Msg) (*dns.Msg, error) {
 
 	responseMsg := new(dns.Msg)
@@ -51,7 +53,6 @@ func (proxy *DNSProxy) getResponse(requestMsg *dns.Msg) (*dns.Msg, error) {
 
 			answer, err := proxy.processTypeA(&question, requestMsg)
 			if err != nil {
-
 				return responseMsg, err
 			}
 			responseMsg.Answer = append(responseMsg.Answer, *answer)
@@ -98,7 +99,14 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 		if !proxy.isAllowedDomain(domain) {
 			go WriteLog(fmt.Sprintf("domain not allowed: %s", domain))
 			go WriteAnnotation(fmt.Sprintf("DNS resolution for domain %s was blocked", domain))
-			return "", fmt.Errorf("domain not allowed %s", domain)
+
+			// return an ip address, so calling process calls the ip address
+			// the call will be blocked by the firewall
+			proxy.Cache.Set(domain, StepSecuritySinkHoleIPAddress)
+
+			go proxy.ApiClient.sendDNSRecord(proxy.CorrelationId, proxy.Repo, domain, StepSecuritySinkHoleIPAddress)
+
+			return StepSecuritySinkHoleIPAddress, nil
 		}
 	}
 

dnsproxy_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"net/http"
 	"reflect"
 	"testing"
@@ -21,6 +22,7 @@ func TestDNSProxy_getResponse(t *testing.T) {
 	Cache := InitCache(60 * 1000000000)
 	rrDnsGoogle, _ := dns.NewRR("dns.google. IN A 8.8.8.8")
 	rrDnsTest, _ := dns.NewRR("test.com. IN A 67.225.146.248")
+	rrDnsNotAllowed, _ := dns.NewRR(fmt.Sprintf("notallowed.com. IN A %s", StepSecuritySinkHoleIPAddress))
 	rrDnsAllowed, _ := dns.NewRR("allowed.com. IN A 67.225.146.248")
 
 	apiclient := &ApiClient{Client: &http.Client{}, APIURL: agentApiBaseUrl}
@@ -33,6 +35,9 @@ func TestDNSProxy_getResponse(t *testing.T) {
 	httpmock.RegisterResponder("GET", "https://dns.google/resolve?name=allowed.com.&type=a",
 		httpmock.NewStringResponder(200, `{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"allowed.com.","type":1}],"Answer":[{"name":"allowed.com.","type":1,"TTL":3080,"data":"67.225.146.248"}]}`))
 
+	httpmock.RegisterResponder("GET", "https://dns.google/resolve?name=notfound.com.&type=a",
+		httpmock.NewStringResponder(200, `{"Status":3,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"notfound.com.","type":1}],"Authority":[{"name":"com.","type":6,"TTL":900,"data":"a.gtld-servers.net. nstld.verisign-grs.com. 1640040308 1800 900 604800 86400"}],"Comment":"Response from 2001:503:231d::2:30."}`))
+
 	tests := []struct {
 		name    string
 		fields  fields
@@ -61,8 +66,8 @@ func TestDNSProxy_getResponse(t *testing.T) {
 		{name: "type A notallowed.com",
 			fields:  fields{Cache: &Cache, EgressPolicy: EgressPolicyBlock, AllowedEndpoints: []Endpoint{{domainName: "allowed.com"}}},
 			args:    args{requestMsg: &dns.Msg{Question: []dns.Question{{Name: "notallowed.com.", Qtype: dns.TypeA}}}},
-			want:    &dns.Msg{},
-			wantErr: true,
+			want:    &dns.Msg{Answer: []dns.RR{rrDnsNotAllowed}},
+			wantErr: false,
 		},
 		{name: "type A test.com egress policy cached",
 			fields:  fields{Cache: &Cache, EgressPolicy: EgressPolicyBlock, AllowedEndpoints: []Endpoint{{domainName: "test.com"}}},
@@ -76,6 +81,12 @@ func TestDNSProxy_getResponse(t *testing.T) {
 			want:    &dns.Msg{Answer: []dns.RR{rrDnsAllowed}},
 			wantErr: false,
 		},
+		{name: "type A notfound.com",
+			fields:  fields{Cache: &Cache, EgressPolicy: EgressPolicyAudit},
+			args:    args{requestMsg: &dns.Msg{Question: []dns.Question{{Name: "notfound.com.", Qtype: dns.TypeA}}}},
+			want:    &dns.Msg{},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

netmon.go

@@ -88,17 +88,21 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 		// Get actual TCP data from this layer
 		ipv4, _ := ipv4Layer.(*layers.IPv4)
 		netMonitor.netMutex.Lock()
-		_, found := ipAddresses[ipv4.DstIP.String()]
+		ipv4Address := ipv4.DstIP.String()
+		_, found := ipAddresses[ipv4Address]
 		if !found {
-			ipAddresses[ipv4.DstIP.String()] = 1
+			ipAddresses[ipv4Address] = 1
 
 			if isSYN {
 				netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,
-					ipv4.DstIP.String(), port, netMonitor.Status, timestamp, Tool{Name: Unknown, SHA256: Unknown})
+					ipv4Address, port, netMonitor.Status, timestamp, Tool{Name: Unknown, SHA256: Unknown})
 
 				if netMonitor.Status == "Dropped" {
-					go WriteLog(fmt.Sprintf("ip address dropped: %s", ipv4.DstIP.String()))
-					go WriteAnnotation(fmt.Sprintf("Traffic to IP Address %s was blocked", ipv4.DstIP.String()))
+					go WriteLog(fmt.Sprintf("ip address dropped: %s", ipv4Address))
+
+					if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block
+						go WriteAnnotation(fmt.Sprintf("Traffic to IP Address %s was blocked", ipv4Address))
+					}
 				}
 			}
 		}