[ https://issues.apache.org/jira/browse/CLOUDSTACK-9552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15647032#comment-15647032 ]
ASF subversion and git services commented on CLOUDSTACK-9552: ------------------------------------------------------------- Commit 6f609e6946e5099c09f649f26da5ef2a2103d889 in cloudstack's branch refs/heads/4.9 from [~rohit.ya...@shapeblue.com] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=6f609e6 ] Merge pull request #1713 from wido/CLOUDSTACK-9552 CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic NetworkingAllow DNS queries over TCP when egress filtering is configured. When using DNSSEC more and more queries are done over TCP and this requires 53/TCP to be allowed. Signed-off-by: Wido den Hollander w...@widodh.nl * pr/1713: CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com> > KVM Security Groups do not allow DNS over TCP egress > ---------------------------------------------------- > > Key: CLOUDSTACK-9552 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9552 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: KVM > Affects Versions: 4.8.0, 4.9.0 > Environment: KVM Basic Networking > Reporter: Wido den Hollander > Assignee: Wido den Hollander > Labels: dns, dnssec, security-groups > Fix For: Future > > > When egress filtering is configured all outbound traffic is blocked unless > configured otherwise. > With the exception that UDP/53 DNS is allowed implicitly by the Security > Groups. > Many DNS responses are larger then 4k, with DNSSEC for example and require > TCP to be allowed. > The Security Groups should also allow TCP/53 when egress filtering is > configured. -- This message was sent by Atlassian JIRA (v6.3.4#6332)