tetragon

1
# This tracing policy 'dns-only-specified-servers' will report attempts
2
# to make outbound TCP and UDP connections on port 53 to any IP address
3
# other than those within the specified list (127.0.0.53), and will kill
4
# the offending process.
5
#
6
# Description:
7
#  Report and block outbound TCP and UDP connections to any DNS servers
8
#  not in the approved list.
9
#
10
# In production, this could be used to force processes to only connect
11
# to approved DNS servers and to treat transgressions as evidence of
12
# malicious activity, resulting in the process being killed.
13
#
14
# The removal of the matchActions section would cause the policy to only
15
# report transgressions and not kill the offending processes, which
16
# might be useful in tracking poorly configured services without killing
17
# processes.
18
#
19
# Note: This policy uses the ip_output hook (which is hit for every
20
# outbound datagram) as this is required to identify matching UDP
21
# datagrams. This hook handles both TCP and UDP protocols so no TCP-
22
# specific (eg tcp_connect) hook is required in addition.
23

24
apiVersion: cilium.io/v1alpha1
25
kind: TracingPolicy
26
metadata:
27
  name: "dns-only-specified-servers"
28
spec:
29
  kprobes:
30
  - call: "ip_output"
31
    syscall: false
32
    args:
33
    - index: 2
34
      type: "skb"
35
    selectors:
36
    - matchArgs:
37
      - index: 2
38
        operator: "Protocol"
39
        values:
40
        - "IPPROTO_TCP"
41
        - "IPPROTO_UDP"
42
      - index: 2
43
        operator: "DPort"
44
        values:
45
        - "53"
46
      - index: 2
47
        operator: "NotDAddr"
48
        values:
49
        - "127.0.0.53"
50
      matchActions:
51
      - action: "Sigkill"
52

53