Block egress to specific websites by dns

Hi,

I was playing around with networkpolicies, egress policies in particular. My manager had a question which I have not been able to answer thought someone here might have come across this.

Is it possible to create a policy to deny access to specific sites, for example a pod could access google.com but not say bing.com ?

1 Like

It is possible, but dependent on your CNI driver and what sort of network policies they support. The only one that I know of that comes to mind that supports DNS names in network policies is Cilium.

1 Like

We’re using Canal at the moment. Haven’t heard of Cilium before now, I will have to take a look at it.

Thanks for the assist :slight_smile:

Besides specialised solution like Cilium, you could probably achieve the same by setting up your own DNS server that has fake zones for domains that you want to block and pointing cluster DNS at it.

Having though about that, I figured that there must be a way to do this with CoreDNS somehow (maybe via a custom plugin), but also I recall that kube-dns uses dnsmasq and there ought to exist a way to hijack DNS with dnsmasq. Here is one simple pointer (note: you will need to customise dnsmasq configuration inside kube-dns pod):

Do note that DNS hijacking is not a particularly common practice, it’s somewhat of a poor sibling of a firewall, that means any rouge app will be still able to get to e.g. bing.com by using IP address.

So having said it’s entirely possible, I’d recommend seeking alternative solutions. Also, if you may wish to checkout Weave Scope, it is capable to show connections from your pods to the internet as well as other pods/services.

Has hoping to stick to something less off the beaten path but it is good to know that there are other ways to accomplish the task.

Your mentioning of Weave Scope reminded me of some of the profiling features that are included in the Aqua Security platform, which we have been looking at trying out.

If such an ugly and not-really-solving-the-issue hack like blocking dns request to some domains helps you, an even easier solution to achieve it might be just modifying the /etc/hosts files.

You can just add the domains, pointing to blackhole ip, in the /etc/hosts file. And you can modify the etc hosts file in the kubernetes yaml.

Ya that would work as well, but your are right blocking dns requests is probably not the greatest solution and could get pretty messy.

I was planning on simply using a simple white listed Egress NetworkPolicy for our clusters. Though I can see there being a specific use case where you may want to deny egress from a Pod with the exception of a very specific API or service. I think that’s what my manager was getting at.

NetworkPolicies act on TCP level so unless IP addresses stay the same for a domain, it’s hard to block specific domains with them.

My cluster uses kube-dns. I was able to block DNS queries to specific domains with stubDomains configured to send DNS queries to blackhole nameservers. The nameservers reply back with REFUSED instead of NXDOMAIN, but this accomplishes the same thing.

kubectl -n kube-system get configmaps kube-dns -o yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-dns
  namespace: kube-system
data:
  stubDomains: |
    {"repo.anaconda.com":["blackhole-1.iana.org","blackhole-2.iana.org","prisoner.iana.org"]}