Blocking AD [srv] leaks

feathers1664 · May 21, 2019, 6:13am

I'm trying to block my downstream DNS servers from forwarding on Active Directory [SRV] requests from foreign AD users.

I've put a simple regex ^_ldap in my blocklist.

According to the debug entries in the FTL log, these are being matched. ie;
[2019-05-21 15:03:48.330 13130] Regex in line 6 "^_ldap" matches "_ldap._tcp.sitea._sites.dc._msdcs.ad.here.com"

However, the queries are still being forwarded to my external DNS provider.
May 21 15:16:37 dnsmasq[13130]: query[SRV] _ldap._tcp.sitea._sites.dc._msdcs.ad.here.com from 192.168.100.1
May 21 15:16:37 dnsmasq[13130]: forwarded _ldap._tcp.sitea._sites.dc._msdcs.ad.here.com to 192.168.200.1
May 21 15:16:37 dnsmasq[13130]: forwarded _ldap._tcp.sitea._sites.dc._msdcs.ad.here.com to 192.168.200.2
May 21 15:16:37 dnsmasq[13130]: forwarded _ldap._tcp.sitea._sites.dc._msdcs.ad.here.com to 192.168.200.1

Mcat12 · May 21, 2019, 6:41am

FTL only blocks A and AAAA requests at the moment.

system · June 11, 2019, 6:42am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.