From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 656A95A004F for ; Wed, 24 Jul 2024 16:31:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1721831488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BLRMpJVMJZQpjUdLuuICQvt//ZPUfjSpZu8v6A9lC20=; b=CTiBXlHCE62EwGn6fydH8g/fcgiuVW9Y2J6EWktGgEBlbQEB9mi+JCxaf6NC+3LhsWjqgZ UM2tQjBXZ4NszEyj/BOnZZqttha4KCFLXYzfQLboAxsZq+83pr8V4IHAcpsLe4Q/iar/Ac SyIA0Oq6CYbf31TyDJEGCyDwRH9xdVo= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-593-mhiaHcFJPEShE1nyip1IEw-1; Wed, 24 Jul 2024 10:31:26 -0400 X-MC-Unique: mhiaHcFJPEShE1nyip1IEw-1 Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-6b79170baf3so121060106d6.3 for ; Wed, 24 Jul 2024 07:31:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721831486; x=1722436286; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=BLRMpJVMJZQpjUdLuuICQvt//ZPUfjSpZu8v6A9lC20=; b=m97stog3UZfBHR+7XOXbds6bNYWyIitzKE5KdGKcTzXkfZjtYiVXI6ZyfpWZLrPQXG mUo5DdBydINr8x6vl9tqyC7WMSkcgIiGSEOXSHIJs3+f0vTsrYHFzZ0XWEuLrjAxa3G1 80dsbJIX0G5FC/rVWuu4g9DOv5nXVuaicHxtnH8thHwsFseftOf9FmJ5l0HZBVRTcG26 yV0cUJQMmZ4g48AgNKp9+rQq+fMsP28C5KLIFHHVKF3ZmqZIk4jEXuEM9QNNTc4Mxb06 Q+PWmpFGFjOSwf5N7op7JGGmQpI2evgSR8OdtuBpSEwS0BVa/GUdh2MFFE+qvtjALknS Iy6A== X-Forwarded-Encrypted: i=1; AJvYcCUQQTc2aIWfQmIG62NLQ01yOqpbEzK0vFzEr0kFOZLwrbNCXDso8qdVyNXny4Bvr4nGiFwLn+OTWdw3rdhy614qpLbQ X-Gm-Message-State: AOJu0YwqoIhcdmiv4LcuukEh052yk/cUg103DbBwfFMUIHAk4eQz3Mzv x/6IstkFY5AKdwBw51phvqWdRiAP1boqamc6O6PVYL+6RJPLZ3JWDNGNGy3jzDYi/kSaLq1JZGM WqhvUhv4gBOnediZZ9ifUm/9+epkw3Ax4asTwRYRKQ1SY0vxHXg== X-Received: by 2002:a05:6214:daf:b0:6b0:729c:5efc with SMTP id 6a1803df08f44-6b96112b0c8mr132071226d6.56.1721831485917; Wed, 24 Jul 2024 07:31:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEWetHA3aM3+i+9MD2a9szRJJaDJGfRWbLsldMFQt0+ah+Wv04IGlKmlrQT7zV4Wr5dyEVdYQ== X-Received: by 2002:a05:6214:daf:b0:6b0:729c:5efc with SMTP id 6a1803df08f44-6b96112b0c8mr132071096d6.56.1721831485592; Wed, 24 Jul 2024 07:31:25 -0700 (PDT) Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b7acb0a768sm58648416d6.139.2024.07.24.07.31.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2024 07:31:25 -0700 (PDT) Date: Wed, 24 Jul 2024 16:30:50 +0200 From: Stefano Brivio To: Paul Holzinger Subject: Re: [PATCH v2 2/2] fwd: Broaden what we consider for DNS specific forwarding rules Message-ID: <20240724163050.006103bf@elisabeth> In-Reply-To: <9c98f64f-9c71-4f98-8d37-8456c85e89f6@redhat.com> References: <20240724075112.1279868-1-david@gibson.dropbear.id.au> <20240724075112.1279868-3-david@gibson.dropbear.id.au> <9c98f64f-9c71-4f98-8d37-8456c85e89f6@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: 473HX2XEUWXHMS5BU5B2F76OZZC2TAVM X-Message-ID-Hash: 473HX2XEUWXHMS5BU5B2F76OZZC2TAVM X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 24 Jul 2024 11:41:44 +0200 Paul Holzinger wrote: > Hi, > > On 24/07/2024 09:51, David Gibson wrote: > > passt/pasta has options to redirect DNS requests from the guest to a > > different server address on the host side. Currently, however, only UDP > > packets to port 53 are considered "DNS requests". This ignores DNS > > requests over TCP - less common, but certainly possible. It also ignores > > encrypted DNS requests on port 853. > > > > Extend the DNS forwarding logic to handle both of those cases. > > The question here is if it handles DoT should it handle DoH as well, > i.e. https (443)? We don't have a flexible interface, yet, to finely configure outbound traffic redirections, so the user couldn't enable or disable this at will. So I'm wondering if there's any use case that we risk breaking with that. The most confusing case I can think of is a host with a local resolver with a loopback address (for example, the usual 127.0.0.53 from systemd-resolved). Without --no-map-gw (or with Podman's --map-gw), we will, by default, use the address of the default gateway (which maps to the host) as implied --dns-forward option. If we now match on HTTPS as well, HTTPS traffic that's supposed to reach the host (because there's an HTTPS server there) will anyway reach the host, even if we mishandle it as DNS traffic somehow. So I don't actually see an issue with that, but given that users can't disable just HTTPS (this should be easier to implement with the flow table, but it will surely be a while before we get to that), we should think quite hard if there's any possibility of breakage before going ahead with it. > > Link: https://github.com/containers/podman/issues/23239 > > > > Signed-off-by: David Gibson > > Tested-by: Paul Holzinger > > I tested both dns over tcp and dns over tls with dig. Thanks! -- Stefano