Block subdomains?

General discussions about Little Snitch
mutant
Posts: 8
Joined: Wed Jul 15, 2009 3:41 am

Re: Block subdomains?

Post by mutant » Thu Jul 16, 2009 10:18 pm

I'd like to resurrect this thread. I'd like to see some wildcard possibilities as well. Devs?

egrieco
Rank 1
Rank 1
Posts: 27
Joined: Sun Jul 22, 2007 5:29 pm
Location: Arizona

Re: Block subdomains?

Post by egrieco » Fri Jul 17, 2009 3:44 pm

Yeah, I'd like to see some movement here as well. It's been about nine months since I've posted with no noticeable acknowledgement or change in the software.

Anything happening?

Dogzilla
Posts: 1
Joined: Thu Aug 06, 2009 11:29 pm

Re: Block subdomains?

Post by Dogzilla » Thu Aug 06, 2009 11:30 pm

Count me in - I'd also like the ability to use wildcards for both ips and canonical names in block/allow rules

paulc
Rank 2
Rank 2
Posts: 62
Joined: Fri May 22, 2009 7:13 pm

Re: Block subdomains?

Post by paulc » Fri Aug 07, 2009 4:37 pm

Me too, although I'd like an option to block or allow the TLD, so all subdomains are equally affected. Having an option to block TLDs or not is the most flexible way go to to cover the most number of customers.

Razor
Posts: 1
Joined: Mon Aug 17, 2009 11:14 pm

Re: Block subdomains?

Post by Razor » Mon Aug 17, 2009 11:21 pm

I use Parallels to run Windows on a Macbook, and under Windows I use the avast! antivirus application that logs in to their server several times during windows logon. Little Snitch currently has approx. 60 avast sites allowed, which means me clicking "allow forever" for parallels/avast so many times. 'Unfortunately' they have a lot of download servers for virus info updates and the program randomly visits them. I put in an allow 'avast.com' rule, but somehow it does not seem to allow all subdomains.

It would be very useful if LS could handle wildcards for subdomains as it is a hassle to wait around to see if there are any confirmation windows to click on that stop other processes in the background.

Best,

Simon

mutant
Posts: 8
Joined: Wed Jul 15, 2009 3:41 am

Re: Block subdomains?

Post by mutant » Mon Aug 17, 2009 11:24 pm

It would be simply awesome to get the company to at least say "No" or something. This silence is pretty fraking frustrating..

h1d
Posts: 12
Joined: Wed Aug 12, 2009 3:53 pm

Re: Block subdomains?

Post by h1d » Wed Aug 19, 2009 7:41 pm

I'm not a developer, but I find this hard to implement.

Since firewalls check on packet headers where IP numbers are present and obviously not in the form of DNS names, thus, if a wildcard had to be there to match on certain domains, LS has to start quering the DNS on every different IP designated packet every once in a while, if it would match with the certain domain, which sounds like a bit of a hit on performance, since every app has to wait till the DNS responds. (Which may not be too big of a problem on big names like *.apple.com)

And on top of that, the biggest problem is, if the IP in question, of the outgoing packet being inspected, does not have a reverse DNS lookup given or resolves to something that is different than the domain that resolves to the IP, I don't see how this could be useful. Since, for this to work, the DNS has to be looked up from the IP and not the other way around like regular DNS lookups from names to IPs.

In case of dynamic DNS names, does LS even check on the change of IP after it has registered with a certain IP once?

While sounding practical, this is kind of low performing and unreliable method of inspection. (Could slip through packets if xyz.apple.com resolves to 1.2.3.4, but 1.2.3.4 does not resolve back to xyz.apple.com, when the user selects *.apple.com to be blocked.)

Not too sure of what the most practical solution to this problem is (except I may be too sleepy at 3am...)

mutant
Posts: 8
Joined: Wed Jul 15, 2009 3:41 am

Re: Block subdomains?

Post by mutant » Tue Aug 25, 2009 4:11 pm

h1d wrote:I'm not a developer, but I find this hard to implement.

Since firewalls check on packet headers where IP numbers are present and obviously not in the form of DNS names, thus, if a wildcard had to be there to match on certain domains, LS has to start quering the DNS on every different IP designated packet every once in a while, if it would match with the certain domain, which sounds like a bit of a hit on performance, since every app has to wait till the DNS responds. (Which may not be too big of a problem on big names like *.apple.com)

And on top of that, the biggest problem is, if the IP in question, of the outgoing packet being inspected, does not have a reverse DNS lookup given or resolves to something that is different than the domain that resolves to the IP, I don't see how this could be useful. Since, for this to work, the DNS has to be looked up from the IP and not the other way around like regular DNS lookups from names to IPs.

In case of dynamic DNS names, does LS even check on the change of IP after it has registered with a certain IP once?

While sounding practical, this is kind of low performing and unreliable method of inspection. (Could slip through packets if xyz.apple.com resolves to 1.2.3.4, but 1.2.3.4 does not resolve back to xyz.apple.com, when the user selects *.apple.com to be blocked.)

Not too sure of what the most practical solution to this problem is (except I may be too sleepy at 3am...)


Currently when I look at my ruleset, I see all hostnames anyway, not IP addresses, so I think that to say it cannot be done because of IP address is not valid or reverse mapping is not valid since it works currently based off the nameserver hostname lookup.

Actually.. Now I'm just hoping they get 64bit Snow Leopard port done, because I don't want to move to SL without my snitch... :(

h1d
Posts: 12
Joined: Wed Aug 12, 2009 3:53 pm

Re: Block subdomains?

Post by h1d » Sat Aug 29, 2009 8:54 pm

Apparently I don't know how it works inside, but doesn't the IP lookup happen just the single time when the entry is added?

When you add a rule, IP is displayed when you enter a host name, and that is when it gets resolved but does it ever get updated? I'm not sure.

Do you actually understand the problem? Reverse lookup alone sure works... except, it may not resolve back to the domain you're trying to block or pass.

I guess that, say you wanted to block "*.distrowatch.com" (a nice site by the way), you would add that domain into the rules, if LS would ever have such a feature.
Now when you access "www.distrowatch.com" through the browser, it will access using IP resolved from that domain. At this moment, LS or anything else besides the browser doesn't know that it is going to the domain "www.distrowatch.com", because only IP is given to the network stack. Now, if you actually type these commands into terminal,

nslookup http://www.distrowatch.com
nslookup 66.180.174.35 (<- supposedly the IP given by the last nslookup)

you will see that it will not resolve back to anything close to distrowatch.com, thus if LS is registered to drop that domain with a wildcard that you can't possibly resolve beforehand, how would LS know about the IP and domain relation? That's what I mean by unreliable. When LS captures the network activity and looks up the domain, it may not match to that of the given domain that would resolve to the same IP but no the other way around.

And what's worse, since the IP is not determined beforehand if to block a wildcard domain, it has to lookup for DNS names on every different target IP packet and that certainly isn't good, basically it will choke your system waiting on DNS response, since LS wouldn't want to pass the packet until a DNS response is back and some DNS queries simply wouldn't respond and waits for timeout in about 10 seconds or so while your network application thinks the network is dead.

Now that I think about it while writing... since every application needs to actually resolve the domain given from the user to the IP at least once before attempting to connect, can't LS just look at a locally cached DNS response and consult which IP to block? Then LS doesn't have to reverse lookup on every packet and confront some differently resolved domain from that. It can actually block wildcard domains in mostly accurate way. It's not perfect but not too far in my opinion.

aps
Posts: 5
Joined: Mon Sep 03, 2007 7:51 pm

Re: Block subdomains?

Post by aps » Tue Sep 08, 2009 8:30 pm

I'm adding my voice to this, as well. I asked for this very useful feature when I first installed Little Snitch in 2004.

This would be REALLY useful....

aps.

exabrial
Posts: 1
Joined: Wed Sep 09, 2009 12:01 am

Re: Block subdomains?

Post by exabrial » Wed Sep 09, 2009 12:02 am

I've bought two versions of little snitch now :) I'd like to see this too

eodnhoj1
Posts: 3
Joined: Wed Sep 16, 2009 1:42 pm

Re: Block subdomains?

Post by eodnhoj1 » Sat Sep 19, 2009 9:15 pm

Count me in. Wildcards would be lovely.

*.avast.com
*.microsoft.com
*.ubuntu.com
*.2o7.net
*.doubleclick.com

pbe
Posts: 2
Joined: Thu Oct 22, 2009 11:02 pm

Re: Block subdomains?

Post by pbe » Sun Oct 25, 2009 11:33 pm

I would also like to have subdomain blocking

tromby24
Posts: 1
Joined: Mon Oct 26, 2009 5:25 am

Re: Block subdomains?

Post by tromby24 » Tue Oct 27, 2009 8:33 am

I did two rules for All Applications:
Deny connections to *.2o7.net
Deny connections to *.207.net

And so far is seems to be working, although it will surely slows you down coz of the time it consumes.

paulc
Rank 2
Rank 2
Posts: 62
Joined: Fri May 22, 2009 7:13 pm

Re: Block subdomains?

Post by paulc » Tue Oct 27, 2009 7:14 pm

tromby24 wrote:I did two rules for All Applications:
Deny connections to *.2o7.net
Deny connections to *.207.net

And so far is seems to be working, although it will surely slows you down coz of the time it consumes.


That assumes wild cards such as you've used are valid... and if nobody from ObjDev has said wild cards CAN be used, what you did most likely ONLY works with the TLD.

Not to mention that I find it hard to believe it's all that hard to add wild card support... it sure would GREATLY enhance the product at very little "cost."

Post Reply