Many IPs in audit mode

[cedws]

We are running Bullfrog in audit mode to try to get an understanding of what our workflows are reaching out to before implementing egress control.

In the job summaries where GHA writes a table of connections, most of the destinations are IPs. There's only a few that have domains alongside them and are the most repeated.

I was able to get the domain for a few IPs with a reverse lookup but many point to LBs or cloud buckets that serve many tenants so they have no PTR records.

How does Bullfrog intercept traffic? I had a brief look at the agent and it seemed to be doing some stuff with DNS. Could the reason not many domains show be due to curl using encrypted DNS?

Thanks.

[vin01]

(disclaimer: I am not a maintainer of this project but really like it and used it a little bit some time ago)

It uses a combination of both DNS + IP filtering using nfqueue

The basic flow can be found here and is quite helpful: https://github.com/bullfrogsec/agent/blob/main/pkg/agent/queue_audit.nft#L5

Could the reason not many domains show be due to curl using encrypted DNS?

Yes, it can happen especially if you allow external IP connections to a provider like Cloudflare, then it can not intercept the domain being queried.

./agent --allowed-ips DNS_SERVER_IP --egress-policy block --allowed-domains github.com

it will block connections to all external IPs unless they are pointed to by github.com, connections to DNS_SERVER_IP are allowed, but to no other DNS servers can be used. If this DNS server supports DoH or DoT though, that would allow for exfiltration using dns tunneling.

@fallard84 perhaps an option can be added to allow only specific ports for dns servers. Curious to hear your thoughts on this.