On Wed, Jul 24, 2024 at 04:30:50PM +0200, Stefano Brivio wrote: > On Wed, 24 Jul 2024 11:41:44 +0200 > Paul Holzinger wrote: > > > Hi, > > > > On 24/07/2024 09:51, David Gibson wrote: > > > passt/pasta has options to redirect DNS requests from the guest to a > > > different server address on the host side. Currently, however, only UDP > > > packets to port 53 are considered "DNS requests". This ignores DNS > > > requests over TCP - less common, but certainly possible. It also ignores > > > encrypted DNS requests on port 853. > > > > > > Extend the DNS forwarding logic to handle both of those cases. > > > > The question here is if it handles DoT should it handle DoH as well, > > i.e. https (443)? My first inclination was, no, because for traffic to port 443 we can't be confident it's actually DNS. But, then again, maybe going to an address marked as a DNS server address is good enough? I'm not sure. > We don't have a flexible interface, yet, to finely configure outbound > traffic redirections, so the user couldn't enable or disable this at > will. So I'm wondering if there's any use case that we risk breaking > with that. > > The most confusing case I can think of is a host with a local resolver > with a loopback address (for example, the usual 127.0.0.53 from > systemd-resolved). Without --no-map-gw (or with Podman's --map-gw), we > will, by default, use the address of the default gateway (which maps to > the host) as implied --dns-forward option. > > If we now match on HTTPS as well, HTTPS traffic that's supposed to > reach the host (because there's an HTTPS server there) will anyway reach > the host, even if we mishandle it as DNS traffic somehow. > > So I don't actually see an issue with that, but given that users can't > disable just HTTPS (this should be easier to implement with the flow > table, but it will surely be a while before we get to that), we should > think quite hard if there's any possibility of breakage before going > ahead with it. Yeah, that argument inclines me back towards "no" for DoH, at least for the time being. > > > Link: https://github.com/containers/podman/issues/23239 > > > > > > Signed-off-by: David Gibson > > > > Tested-by: Paul Holzinger > > > > I tested both dns over tcp and dns over tls with dig. > > Thanks! > -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson