[CLOUDSTACK-9552] KVM Security Groups do not allow DNS over TCP egress - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.8.0, 4.9.0
Fix Version/s: 4.9.2.0
Component/s: KVM
Security Level: Public (Anyone can view this level - this is the default.)
Labels:
Environment:
KVM Basic Networking

Description

When egress filtering is configured all outbound traffic is blocked unless configured otherwise.

With the exception that UDP/53 DNS is allowed implicitly by the Security Groups.

Many DNS responses are larger then 4k, with DNSSEC for example and require TCP to be allowed.

The Security Groups should also allow TCP/53 when egress filtering is configured.

Attachments

Issue Links

links to

GitHub Pull Request #1713

Activity

People

Assignee:: Wido den Hollander

Reporter:: Wido den Hollander

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Oct/16 08:13

Updated:: 09/Feb/17 05:59

Resolved:: 09/Feb/17 05:58