[libvirt] [PATCH] network: don't forward DNS requests from isolated networks
Laine Stump
laine at laine.org
Fri Jul 29 21:26:45 UTC 2011
On 07/29/2011 04:43 PM, Eric Blake wrote:
> On 07/29/2011 02:35 PM, Laine Stump wrote:
>> This is in response to:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=723862
>>
>> which points out that a guest on an "isolated" network could
>> potentially exploit the DNS forwarding provided by dnsmasq to create a
>> communication channel to the outside.
>>
>> This patch eliminates that possibility by adding the "--no-resolv"
>> argument to the dnsmasq commandline, which tells dnsmasq to not
>> forward on any requests that it can't resolv itself (by looking at its
>
> s/resolv/resolve/
>
>> own static hosts files and runtime lsit of dhcp clients), but to
>
> s/lsit/list/
>
>> instead return a failure for those requests.
>>
>> This shouldn't cause any undesirable change from current
>> behavior, even in the case where a guest is currently configured with
>> multiple interfaces, one of them being connected to an isolated
>> network, and another to a network that does have connectivity to the
>> outside. If the isolated network's DNS server is queried for a name
>> it doesn't know, it will return "Refused" rather than "Unknown", which
>> indicates to the guest that it should query other servers, so it then
>> queries the connected DNS server, and gets the desired response.
>> ---
>> src/network/bridge_driver.c | 11 ++++++++---
>> tests/networkxml2argvdata/isolated-network.argv | 3 ++-
>> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> A bug fix rather than a feature, and safe enough for inclusion in 0.9.4.
>
>> - if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
>> - virCommandAddArg(cmd, "--dhcp-option=3");
>> + if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) {
>> + virCommandAddArgList(cmd, "--dhcp-option=3",
>> + "--no-resolv", NULL);
>> + }
>
> ACK.
>
Thanks, pushed with the indicated typos fixed.
More information about the libvir-list
mailing list