[jira] [Commented] (CLOUDSTACK-9552) KVM Security Groups do now allow DNS over TCP egress

Thu, 20 Oct 2016 01:22:25 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15591180#comment-15591180
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9552:
--------------------------------------------

GitHub user wido opened a pull request:

    https://github.com/apache/cloudstack/pull/1713

    CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking

    Allow DNS queries over TCP when egress filtering is configured.
    
    When using DNSSEC more and more queries are done over TCP and this
    requires 53/TCP to be allowed.
    
    Signed-off-by: Wido den Hollander <[email protected]>

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/wido/cloudstack CLOUDSTACK-9552

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1713.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1713
    
----
commit 281cd713fdcbb2c825403e1cf80136841ee3fd8a
Author: Wido den Hollander <[email protected]>
Date:   2016-10-20T08:14:36Z

    CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking
    
    Allow DNS queries over TCP when egress filtering is configured.
    
    When using DNSSEC more and more queries are done over TCP and this
    requires 53/TCP to be allowed.
    
    Signed-off-by: Wido den Hollander <[email protected]>

----


> KVM Security Groups do now allow DNS over TCP egress
> ----------------------------------------------------
>
>                 Key: CLOUDSTACK-9552
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9552
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: KVM
>    Affects Versions: 4.8.0, 4.9.0
>         Environment: KVM Basic Networking
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>              Labels: dns, dnssec, security-groups
>             Fix For: Future
>
>
> When egress filtering is configured all outbound traffic is blocked unless 
> configured otherwise.
> With the exception that UDP/53 DNS is allowed implicitly by the Security 
> Groups.
> Many DNS responses are larger then 4k, with DNSSEC for example and require 
> TCP to be allowed.
> The Security Groups should also allow TCP/53 when egress filtering is 
> configured.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to