Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-9552

KVM Security Groups do not allow DNS over TCP egress

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.8.0, 4.9.0
    • Fix Version/s: 4.9.2.0
    • Component/s: KVM
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Environment:
      KVM Basic Networking

      Description

      When egress filtering is configured all outbound traffic is blocked unless configured otherwise.

      With the exception that UDP/53 DNS is allowed implicitly by the Security Groups.

      Many DNS responses are larger then 4k, with DNSSEC for example and require TCP to be allowed.

      The Security Groups should also allow TCP/53 when egress filtering is configured.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                widodh Wido den Hollander
                Reporter:
                widodh Wido den Hollander
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: