THIS IS A SAMPLE PROOF OF CONCEPT SCRIPT
Pulls DoH domains and resolves them to IP addresses (from: https://github.com/curl/curl/wiki/DNS-over-HTTPS). Then it creates a Network Group Object in Firepower to be blocked (or something else). This can be used to block DoH and enforce Umbrella. More information an that can be found on the following link: https://support.umbrella.com/hc/en-us/articles/230904088-Preventing-Circumvention-of-Cisco-Umbrella-with-Firewall-Rules
Please contact me, Christopher Van Der Made chrivand@cisco.com, if you have any questions or remarks. If you find any bugs, please report them to me, and I will correct them (or do a pull request).
These instructions will enable you to download the script and run it, so that the output can be used in Firepower as Group Objects. What do you need to get started? Please find a list of tasks below:
You need the IP address (or domain name) of the FMC, the username and password. It is recommended to create a separate FMC login account for API usage, otherwise the admin will be logged out during every API calls. Add the IP/Domain of FMC, the username and password to the config.json file.
In the FMC, go to System > Configuration > REST API Preferences to make sure that the REST API is enabled on the FMC.
A Network Group object will be created automatically during the first run of the script.
It is also recommended to download an SSL certificate from FMC and put it in the same folder as the scripts. This will be used to securely connect to FMC. In the config_file.json file, set the "SSL_VERIFY" parameter to true, and then set "SSL_CERT" to be the path to the FMC's certificate.
If you do not have the needed Python libraries set up, you will get an error when executing the script. You will need to install the "requirements.txt" file like this (make sure you are in the same directory as the cloned files live):
pip install -r requirements.txt
python3.6 doh_ip_resolving.py
intervalScheduler(WebServiceParser, 3600) #set to 1 hour
This can be an example of a policy in FMC:
DNS-over-HTTPS (DoH) is a standard for performing DNS resolution via via the HTTPS protocol. Instead of performing plain text (n.a. for Umbrella) DNS requests on port 53, a client to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text (n.a. for Umbrella) one.
Risks, why would you NOT use it:
Business outcomes:
You can find the installation instructions on Cisco DevNet Code Exchange.
The NSA also recommends to take a similar approach and blocking DoH. Read more here.
Please check out the Firepower Manegement Center sandbox to give this a try yourself!
Owner
Contributors
Categories
Products
Secure FirewallProgramming Languages
PythonLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community