Networking: Wildcard Hostnames for DNS Group Definitions
being able to specify a 'root' domain name, or pattern, as a network definition, that could then be used in a traffic selector for bandwidth shaping, would help greatly. content delivery networks use hundreds of hostnames, but usually stick with one 'root', example: 'something.nflximg.com' or 'something.llnwd.net' by specifying something like "*.llnwd.net' as the source, we could then limit the traffic as desired.
Much like the "matching these URLs" option for exception rules for the HTTP proxy. Allow the skiplist on the advanced tab of the transparent HTTP proxy to also accept wild card (regular expression) URL's. This would be extremely helpful for large sites/services that use backend Content Delivery Networks (like Facebook, Apple iTunes Store, AOL, Akamai, etc.) that consist of hundreds if not thousands of sub-domains/IPs.
@Bob ten Berge - try asking a question about your issues with SSL scanning on http://www.astaro.org/
@Jeremy - I see what you mean. In the 'Transparent mode skip list', for example, allow adding a list of domains. For a given IP, if there's an rDNS entry, and it corresponds to a domain name in the list, then the IP is skipped.
Bob ten Berge commented
If it's impossible, then how come firewall vendors like Palo Alto can implement domain wildcards as the OP suggested?
In order to selectively allow access to certain websites, I can enter *.domain.com to make sure all existing subdomains and hostnames will be allowed.
This is just one useful feature when wildcards are possible.
I wanted to enable SSL scanning on my ASG, but because it produces so many problems, I just turned it off again.
If I could simply enter *.akamai.com, for example, it would be less of a problem, but the way ASG works is I have to enter FQDN's, single Ip addresses or whole subnets, which is a real drag.
Bob ten Berge commented
I very much support such functionality, because right now it's a real pain to monitor traffic, pick up all those blocked IP's and add them to the skip list.
I made a Network Group for this specific purpose and instead of adding single IP's I actually started adding whole class A networks to make it easier.
But the problem here is that it will also allow potentially unwanted websites to bypass the filter.
I don't get why this functionality would be so hard to implement, almost all other major UTM vendors I know can already do this (thinking about Palo Alto, Checkpoint, Juniper, Cisco, Sonicwall).
If you want to compete with the big boys, you can't afford to lag behind.
If you resolve the complete hostname ahead of time in order to bypass, it should be easy enough:
You check the FQDN against the list of supplied domains that should bypass the transparent proxy and if a match is found, you resolve the hostname and flag the resulting IP address as being in the skiplist.
I'm sure it would be quite easy to match the hostname abc.def.123.akamai.net against a *.akamai.net skiplist entry.
Ramon Lustrati commented
This is a very important feature, that should be implemented in Astaro. The problem is, that a lot of services as, (antifvirussoftware, droppox, microsoft licensing, adobe etc etc) do use akamay servers.
Scott Klassen commented
@Jeremy: I can imagine somebody entering "*.com", which would cause the Astaro to begin querying for every .com in existence and then trying to resolve them all. Would be a great way to DoS yourself.
Not necessarily for DNS group definitions but possibly another category of definitions all together.
"DNS Domain" perhaps?
Reverse lookup ip addresses and check that domain name against the definition.
IE definition is *.google.com when 220.127.116.11 is requested reverse dns gives "google-public-dns-a.google.com" so it is a match.
Please implement all the way. Should be able to define *.com as well
DNS Group definitions depend on entires with more than one A-record. I'm not a DNS guru, Thomas, but I believe that this suggestion is impossible given the way DNS functions today.
Gert Hansen commented
Hi all, this is a bit problematic and not easy.
The transparent skiplist is based on ip adresses/networks that gets bypassed from the redirect to the proxy within the firewall. In this case, we have not yet looked in the HTTP header. What we now do is resolve complete hostnames already ahead of time and than use the resolved ip adresses to bypass.
We can not get a zone transfer for most domains where we could extract all hostnames for that domains and match them against the wildcard and find the relevant ip adresses that way.
In order to implement this, we would need to implement a new kernel module in the firewall to properly parse and handle the HTTP and HTTPS protocol to extract domain information from the Host header of the http request.
This is a lot of work and it is not that of requested yet.