Convert pfsense into L7 FW - Adam Networks

https://youtu.be/-ZCts1Va_xc?si=CHis8l8W_C913XTj

Just listened to the latest Security Now episode and Steve mentioned this company. I found this video giving some info with how it works.

Very cool stuff. If you can block all LAN traffic bypassing your DNS then you have something special. This could turn a L4 fw like pfsense into a L7 fw (generally speaking) without all the ugliness and inefficiency of a L7 fw.

They show how to do this with a pfsense box but it looks like you have to defer all LAN rules over to this service - or, hopefully just selected vlan’s. This means I can’t be lazy and slip in east/west traffic rules based on my fixed ip, I’d have to do that via dns. There might be some other sticky issues I am not thinking about, but for the right vlan this could be the ultimate setup.

It looks like a clever product but looking at their website, it seems to be quite proprietary - they even refer to their ‘secret sauce’ in their FAQ!

I also think their coining of the phrase ‘Zero Trust’ doesn’t really relate to the more generally accepted definition of what constitutes a Zero Trust framework.Tom has been quite vocal in some of his videos about how the term is bandied about and this is a good example of that I think.

Sorry, I’m not impressed. This is basically a fancy PiHole in the cloud with user authentication attached to it, which I guess qualifies to use the term “Zero Trust”.

Also, a DNS filter is not necessarily what you would normally refer to as a (full) Layer 7 filtering solution, although technically the statement is correct, because DNS of course takes place on the application layer (layer 7), just like HTTP.

EDIT:
Ok, it seems it can be hosted locally and it has a few neat features features beyond of what a Pi-hole can do. And I guess it’s the “whitelist” approach that qualifies it as a “zero trust” application :wink:

But at the end of the day, it is still “just” a DNS filter, and it’s a proprietary product.

How is that? It seems to tightly tie DNS to FW rules. That is what I am most impress about. If you can completely block DNS circumvention, then DNS becomes god on your LAN.

Not sure I care too much about their DNS whitelisting service, although that is arguably better than blacklisting. I’d just like to eliminate DOH, vpn, IP only traffic, etc.

It is proprietary but I bet this is relatively easy to implement, in various ways. Sounds cheap for me to say this now, but I had a similar idea a few years ago. I have been wanting to write a script that would list the IPs on my LAN talking to my DNS server, and then compare that to a list of IPs exiting my LAN. Then use the resulting list of IPs to create a dynamic block rule based on some time frame given. Not the same as what these guys are doing (their implementation seems much better), but it would generally do the same thing. Or at least that is what I have been wanting to test.

If this idea gains traction then open source projects will pop up with various versions of this process.

I’m not sure what “tightly tie DNS to firewall rules” is supposed to mean, but I doubt there’s any real magic involved :wink:

What it can do though, is to dynamically add firewall rules that block the IP ranges of known DoH (DNS over HTTPS) and VPN providers. However, this also means that a proprietary third-party software has full administrative access to your firewall. If you’re okay with that and trust them, I don’t think that’s necessarily a bad thing. As I said, it has some neat additional features compared to OSS solutions like Pi-hole.

How well this DoH blocking feature actually works is of course another question, especially when it comes to preventing malware or other questionable software from connecting to its home base. Because in theory, any software can send its DNS requests via HTTPS to its own DoH server, which is then unlikely to be on that blocklist. However, it will probably be good enough to stop your kids from visiting known xxx sites by using one of the known DoH or VPN providers.

Creating scripts and software is the easy part. The hard part is maintaining the IP blocklists. DoH is difficult to prevent because, on the one hand, anyone can easily set up a DoH server themselves, and on the other hand, large providers such as Google or Cloudflare use CDNs, which results in dynamically changing IP ranges.

To effectively prevent DoH, you would therefore again need a firewall that does HTTPS inspection to recognise the DNS requests in the HTTPS stream.

1 Like

This looks like a like the 'ol DNS blockers as mentioned before. What this guy is failing to mention is that it is only blocking top level domains. This cannot cannot block sites like https://reddit.com/r/ThisIsABadSite which is what a MITM proxy can do for you. He is definitely throwing around the buzz words, but they aren’t true at all. He is just using them to fit his narrative and for individuals that don’t know any better will eat it right up.

It has ALWAYS been an uphill on monitoring the network traffic for unauthorized use and for him to make a video to show “how easy it is without all the bells and whistles” is ridiculous. He is a sales guy and will say anything to catch your eye and make you feel safe.

I don’t think you watched the video or get what they are doing.

It means, AFAIK, if DNS requests are not made the egress traffic to that IP is not allowed. No DNS request to a whitelisted site, no egress. Full stop. That is something different and pretty cool. DOH is shut down. VPN is shut down. IP only traffic is shut down.

It might be able to block subdomains, but the url you referenced is a true limitation. It would probably be an all or nothing block for reddit. But there are pros and cons to going down that rabbit hole of url filtering. Good luck with that.

I am not saying I buy the guys argument, I just like the concept of deny all with dynamic allow lists based on who is talking to my DNS server. It blocks a lot of traffic we are all blind to right now. If it works as advertised…

Yeah, you didn’t watch the video or get the concept.

The firewall can only prevent the DNS request if it knows that a DNS request is beeing made. However, when a client is sending the DNS request over HTTPS the firewall doesn’t know that. But you can of course block the IP ranges or FQDNs of known DoH providers.

EDIT: And even if it blocks everything by default and then adds allow rules (I think I get it know what they mean by whitelist / Zero Trust) when a donain or FQDN is whitelisted, or not blocked, in the DNS filter. How can it know that www.mydomain.tld isn’t hosting a DoH service? We are dealing with a chicken-and-egg problem here, which can only be solved by either maintaining lists of known FQDNs or IPs or by inspecting the traffic.

That is the heart of your filter. With dns or url filtering. If you misjudge that then you fail by your own doing. They probably want to sell you on how their fancy whitelist is dynamically updated or AI generated, but I would probably pass unless the price was right. I would just love to force users to use my dns blacklist. Just stopping reasonably known DOH, VPNs, & all IP only traffic would be huge.

You are right, you got to filter something. Since this is DNS, the need for beefy firewalls fades away. Just a simple lowly L4 box will do.

And how does the filter know which URLs are good or bad?

You have a DNS filter on layer 7 that can interact with the packet tfilter on layer 3. That’s the “magic sauce” they are talking about on their website, which of course can’t do any real magic.

In the end, it boils down to maintaining blocklists. The advantage of interacting directly with the firewall is that you can build kind of a “zero trust” protection by only allowing connections in the firewall if the corresponding DNS request was successful.

However, this is all based on some DNS block or allow lists. It can’t work any other way. I’m not saying the product is bad. But its effectiveness depends on how well these lists are maintained, as with any other DNS-based filtering solution.

But this box will need some intelligence, because again, it doesn’t, know which URLs to block all by itself. And that’s what I was referring to as the “hard part” in a previous post, and that’s what you are mainly paying for if you’re using a commercial DNS-filtering solution like DNSThngy.

Pfblockerng has a DOH list and I actually use a lot of the predefined lists you can choose from. There are very repeatable lists in there and if I was a betting man I bet a lot of these “commercial companies” use them too.

As all things, DNS filtering isn’t a silver bullet and its always best practice to implement multiple layers of security in your environment. Home lab or enterprise. DNS filtering is at least one layer.

1 Like

Yeah, the marginal improvement would come down to how effective their whitelist is relative to a typical blacklist. It would make some improvement blocking users from using their own (new) domain or static IP, but there could be some slippage with some CDNs or hosting domains - depending how they do it.

As long as their whitelist was not too permissive, the default deny on the dns lookup and L4 egress traffic could be a powerful combo. I use to admin a few BYOD networks, this would have been much better than my block list hacker-y.

Even on corp controlled networks, if I could influence how tight that dns whitelist is that would be cool. Then as long as you don’t allow something you shouldn’t (to bb77’s point), you have a pretty tight grip on your traffic. You got to admit that is neat little setup.

Nothing is a silver bullet, I agree. L4 perimeter security is a joke. But if this is done right it could complete with L7 - especially for BYOD networks.

Yes the concept is neat. And something I hadn’t thought of is that this method should effectively block traffic from software with hardcoded IPs. Because without a previous DNS request there will be no Allow rule in the firewall, and therefore the traffic will be blocked.

Hi everyone… I noticed this thread in the background of one of Toms recent videos, and had to check it out :smiley:

I work for a Canadian MSP and I’ve been using the Adam:ONE DNS service on most of our clients’ firewalls for a couple of years now. So far we’ve been pretty satisfied with it. it helps immensely with providing and managing effective DNS protection across many firewalls, and provides granularity in block/allow policies that aren’t currently available with pfBlocker.

I initially discovered Adam Networks while looking for a solution to block BitTorrent traffic for a client, once and for all. Adams ability to block DNSless traffic (DTTS) does the trick nicely, and does so network-wide.

It’s also the only DNS resolver that I’ve come across so far, that actually handles Active Directory DNS properly. This makes it easy to eliminate the domain controller as a single point of failure.

Another interesting perk is their ‘DNSharmony’ - Adam uses upstream DNS services like cloudflare, quad9, OpenDNS, etc as a layer of protection, and you can select multiple services to use all together. All of the selected upstream servers need to agree that a domain is safe, otherwise it will be blocked.

Anyways, I don’t intend this to read as a sales pitch, I just wanted to share my experience with Adam Networks here.

Good to hear feedback from somebody who has used the product.

Does this setup works as advertised? So a technical guy like yourself can’t bypass the DNS firewall by using your own server or custom domain not on the blacklists? So SSH, VPN, DoH, or proxy, etc, are all dead. If they have shutdown the technical guys using their own gear, they have something special.

I know I stand alone here, but I still think this general process has the potential to kill L7 filtering (beyond natural forces). And it do it with modest hardware requirements to boot. If this general concept takes off I hope to see some open source tooling that does the same basic thing.

This sounds like the same old story of commercial dns block providers with all the buzz words to try and make them stand out. There is no way to compete with actual layer 7 filtering (aka MITM). All DNS blockers can do is block top level, subdomains and IP. It cannot go any further than that… period.

It cannot, for example, block sites like sub Reddit for adult content because dns blockers can only block Reddit.com or subdomain.reddit.com and not Reddit.com/ r/adultcontent

You are really stuck on the URL filtering exception. I imagine your URL filter is massive if you are going to chase down every possible reddit URL. That sounds like a lot of work for very marginal returns. If somebody needs access to reddit, then give that person access by exception. As for bad guys lurking in your network, domain or subdomain blocks work great.

I have never heard of DNS filter that interacts with the FW to block all IPs not tied to DNS queries in their resolver. That is unique AFAIK. I bet if this works as I understand it you wouldn’t be able to get out with your box. Your attempt to tunnel out to IP or custom domain would fail. You would have to try and use a cloud provider that is on the white list. Which, if it is on that list would allow you out. But if the end user (customer) could filter that list and block those providers you’d be back to square one. If done right, I could see this being a hard stop. If not, show me how you’d get out beyond what I just mentioned.