Outgoing firewall and CNAMES
Hi guys,
I use an outgoing policy of deny on webservers, and allow explicitely
what I need them to connect to. This has never posed a problem, until
today. I need to allow a website to pull in a feed from another site,
hosted on amazon's elastic cloud thingy. The problem is, the DNS name
is a CNAME to a CNAME to a CNAME, like:
;; ANSWER SECTION:
api.example.com.s3.amazonaws.com. 7519 IN CNAME
s3-directional-w.amazonaws.com.
s3-directional-w.amazonaws.com. 3129 IN CNAME
s3-directional-w.geo.amazonaws.com.
s3-directional-w.geo.amazonaws.com. 3722 IN CNAME
s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com. 16 IN A
207.171.163.34
The final IP varies wildly. Now, I have compiled what I think is the
entire range, and I have found some lists online that more or less
match. But here's the problem. If I allow apache to make outbound
connections to anything hosted on Amazon, then nothing stops an attacker
from putting his remote includes on amazon too.
The only thing I can think of is something along the lines of:
1. Add one amazon IP to /etc/hosts for api.example.com
2. Allow that IP on the OUTGOING chain
3. Script something to run the feed request against the IP and verify
that the response is what we expect. If it isn't, I can do some futher
checks to see if the feed down or if the IP has changed, or it can just
alert me.
How do you guys deal with this kind of problem?
Thanks
Reply to: