Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explanation on Why the Build Job is Successful in the DNS Tutorial #126

Closed
cedricvanrompay-datadog opened this issue May 15, 2023 · 2 comments

Comments

@cedricvanrompay-datadog

I just tried the following tutorial: https://github.com/step-security/attack-simulator/blob/1948a848cc4bdfb224343b29b9ca010da3488c12/docs/DNSExfiltration.md

Here is the fork I created: https://github.com/DataDog/step-security-agent-attack-simulator

At the end I do get the same result as the screenshot in the tutorial, that is, the "build" job is successful but has an "Error: DNS resolution [...] was blocked" annotation.

However, I am quite surprised that the build job is successful if the hardened runner blocked the DNS resolution, right?

Moreover, if I click on the "build" job and expand the "Simulate DNS traffic" section, it looks like the DNS call was successful, meaning that the DNS exfiltration attack would have worked right?

Run domain="${GITHUB_REPOSITORY}.stepsecurity.io"
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	DataDog-step-security-agent-attack-simulator.stepsecurity.io
Address: 54.185.253.63

Isn't this "a valid response from the DNS server"?

@varunsh-coder
Copy link
Member

I just tried the following tutorial: https://github.com/step-security/attack-simulator/blob/1948a848cc4bdfb224343b29b9ca010da3488c12/docs/DNSExfiltration.md

Here is the fork I created: https://github.com/DataDog/step-security-agent-attack-simulator

Hi @cedricvanrompay-datadog, thanks a lot for trying this out and creating the issue!

I am sorry for the delay in responding. I had not noticed the issue.

At the end I do get the same result as the screenshot in the tutorial, that is, the "build" job is successful but has an "Error: DNS resolution [...] was blocked" annotation.

However, I am quite surprised that the build job is successful if the hardened runner blocked the DNS resolution, right?

harden-runner does not fail a job if a DNS request or a network connection is blocked. The job might fail if it needs the connection, but harden-runner does not cause it to fail. This is a design decision, as some jobs make calls to endpoints that are not needed but not in the allowed list (example), which may cause jobs to fail unnecessarily. We have an issue tracking this to provide a flag to fail the job if any traffic is blocked/ harden-runner annotation is added.
step-security/harden-runner#195

Moreover, if I click on the "build" job and expand the "Simulate DNS traffic" section, it looks like the DNS call was successful, meaning that the DNS exfiltration attack would have worked right?

Run domain="${GITHUB_REPOSITORY}.stepsecurity.io"
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	DataDog-step-security-agent-attack-simulator.stepsecurity.io
Address: 54.185.253.63

Isn't this "a valid response from the DNS server"?

When harden-runner blocks DNS exfiltration, it returns our sinkhole IP address instead of blocking the request.
You can see the code here.
https://github.com/step-security/agent/blob/main/dnsproxy.go#L193-L213
This enables the rest of the steps to continue, where a network connection may be established after the DNS request, and this enables us to find the process that made the call. So, what you see is a valid response from our DNS proxy but also a valid DNS exfiltration block. Please let me know if you have any follow up questions. Thanks!

@cedricvanrompay-datadog
Copy link
Author

Thanks for your answers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants