Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This would still allow data exfiltration via DNS. It really needs to be done at the browser level.


This rule blocks all IP traffic including DNS requests.


It only blocks IPv4 traffic, so on an IPv6 enabled host it can easily be bypassed without even involving DNS. But assuming an IPv4-only host, on a system using nscd, DNS lookup is performed over a Unix socket:

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
       23  1445 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1007
    
    # setuidgid outtest ping -n 1 -4 google.com
    PING google.com (142.250.102.100) 56(124) bytes of data.


That's interesting. I've never used nscd, but the rule seems to work against both dnsmasq and systemd-resolved which just listen on loopback port 53.

As for IPv6 you can obviously just apply a similar rule using ip6tables (or the newer nftables, which I don't know how to use.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: