Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In anonymization plugins, specify addresses that should not be anonymized or modified #276

Open
wessels opened this issue Jan 13, 2023 · 3 comments
Open

In anonymization plugins, specify addresses that should not be anonymized or modified #276

wessels opened this issue Jan 13, 2023 · 3 comments
Labels
help wanted Extra attention is needed

Comments

@wessels
Copy link
Member

wessels commented Jan 13, 2023
edited by jelu
Loading

In anonymization plugins, determining client vs server by port can lead to unanonymized packets.

For example, this code:

        if (only_clients && sport == dns_port) {
            from = 0;
            break;
        }

means that if only_clients is set (-c option) and a query comes from source port 53, the source IP address will not be anonymized.
@jelu
Copy link
Member

jelu commented Jan 20, 2023

Hmm, yeah that's not good.

Does it make sense to change this so that if both ports are dns_port then both addresses gets anonymized? Or should it break and report a fatal error?

@wessels
Copy link
Member Author

wessels commented Jan 20, 2023

My preferences would be:

  1. Provide a way to specify addresses that should not be anonymized or modified. This would have to be a list. For an authoritative name server we would specify the server's addresses here. This might be a significant amount of code change.
  2. If both ports are dns_port then both addresses get anonymized.
  3. Existing behavior, but with a warning or error. A command line option should specify if the condition is fatal and causes the program to exit.

jelu added a commit to jelu/dnscap that referenced this issue Jan 23, 2023
@jelu
Anonymize clients
dff421e 
- anon plugins: Issue DNS-OARC#276: When anonymizing clients, anonymize both source and destination if they are both using the masking port since it can't be determined who's the client and who's the server
@jelu jelu mentioned this issue Jan 23, 2023
Merged
@jelu jelu changed the title In anonymization plugins, determining client vs server by port can lead to unanonymized packets. In anonymization plugins, specify addresses that should not be anonymized or modified Jan 23, 2023
@jelu
Copy link
Member

jelu commented Jan 23, 2023

I'm skipping warning/fatal, think it's more important to not leak addresses so the fix will be released soon and the list option can be implemented later.

@jelu jelu added the help wanted Extra attention is needed label Feb 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wessels @jelu