[GitHub] cloudstack pull request #1663: [LTS/blocker] CLOUDSTACK-6432: Prevent DNS re...

[rhtyd]

GitHub user rhtyd reopened a pull request:

    https://github.com/apache/cloudstack/pull/1663

    [LTS/blocker] CLOUDSTACK-6432: Prevent DNS reflection attacks

    CLOUDSTACK-6432: Prevent DNS reflection attacks
        
        DNS on VR should not be publically accessible as it may be prone to DNS
        amplification/reflection attacks. This fixes the issue by only allowing 
VR
        DNS (port 53) to be accessible from guest network cidr, as per the fix 
in:
        https://issues.apache.org/jira/browse/CLOUDSTACK-6432
        
        - Only allows guest network cidrs to query VR DNS on port 53.
        - Includes marvin smoke test that checks the VR DNS accessibility 
checks from
          guest and non-guest network.
        - Fixes Marvin sshClient to avoid using ssh agent when password is 
provided,
          previous some environments may have seen 'No existing session' 
exception without
          this fix.
        - Adds a new dnspython dependency that is used to perform dns 
resolutions in the
          tests.
    
    Due to repository commit issues I've created this PR, based on #1653 .
    
    /cc @jburwell @karuturi @NuxRo @ustcweizhou @wido  and others

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shapeblue/cloudstack 4.9-dnsreflection-attack

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1663.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1663
    
----
commit 56ad2c83ae2fb8f3cb74df15ed57a35c795ebced
Author: Rohit Yadav <rohit.ya...@shapeblue.com>
Date:   2016-08-22T09:31:41Z

    CLOUDSTACK-6432: Prevent DNS reflection attacks
    
    DNS on VR should not be publically accessible as it may be prone to DNS
    amplification/reflection attacks. This fixes the issue by only allowing VR
    DNS (port 53) to be accessible from guest network cidr, as per the fix in:
    https://issues.apache.org/jira/browse/CLOUDSTACK-6432
    
    - Only allows guest network cidrs to query VR DNS on port 53.
    - Includes marvin smoke test that checks the VR DNS accessibility checks 
from
      guest and non-guest network.
    - Fixes Marvin sshClient to avoid using ssh agent when password is provided,
      previous some environments may have seen 'No existing session' exception 
without
      this fix.
    - Adds a new dnspython dependency that is used to perform dns resolutions 
in the
      tests.
    
    Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---