From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 9491A5A004E for ; Thu, 25 Jul 2024 06:44:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1721882691; bh=dnpkpaNXC2rVnaMgGbTXi8Vjw0dIjx65Y++kaN84XBY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dKP4dkXHic6kuSvX1POSguLylQ0wC9WhwCr6e0NOsTalnj4E9Gv56sdYALUDD2+NT 4nV5SJgVKVMzwfrKAwDIKYoKiPCOCunqFuhJstvQVtLZ+S4EC4Bu0VTvKSKZARnk1y eS2jOUQWvHc89DY5JDwj287102FKZaYGvr23ET8YXKSQ3YCHadFU6fprcHVM5NOVlj nrzRdUapd3R8xZZcOF0CHmXAti19xHi/WclYSFsPhiJcojoh0ZzfTlMaBTzkDtE9UR sXeH6BPjSCP2yK9mA1xCHnI9lANUN9AunpzuZhsoEDj6Xoy8iqBBbietBbfcdP6zHt 9iwv21PJ0Ndhg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WTywg4hfVz4x0C; Thu, 25 Jul 2024 14:44:51 +1000 (AEST) Date: Thu, 25 Jul 2024 14:44:45 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH v2 2/2] fwd: Broaden what we consider for DNS specific forwarding rules Message-ID: References: <20240724075112.1279868-1-david@gibson.dropbear.id.au> <20240724075112.1279868-3-david@gibson.dropbear.id.au> <9c98f64f-9c71-4f98-8d37-8456c85e89f6@redhat.com> <20240724163050.006103bf@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dzOENg+/KxURtDOC" Content-Disposition: inline In-Reply-To: <20240724163050.006103bf@elisabeth> Message-ID-Hash: CS4POKRVBUEKQ5FYXZB7467Q6W53GEEK X-Message-ID-Hash: CS4POKRVBUEKQ5FYXZB7467Q6W53GEEK X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Paul Holzinger , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --dzOENg+/KxURtDOC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 24, 2024 at 04:30:50PM +0200, Stefano Brivio wrote: > On Wed, 24 Jul 2024 11:41:44 +0200 > Paul Holzinger wrote: >=20 > > Hi, > >=20 > > On 24/07/2024 09:51, David Gibson wrote: > > > passt/pasta has options to redirect DNS requests from the guest to a > > > different server address on the host side. Currently, however, only = UDP > > > packets to port 53 are considered "DNS requests". This ignores DNS > > > requests over TCP - less common, but certainly possible. It also ign= ores > > > encrypted DNS requests on port 853. > > > > > > Extend the DNS forwarding logic to handle both of those cases. =20 > > > > The question here is if it handles DoT should it handle DoH as well,=20 > > i.e. https (443)? My first inclination was, no, because for traffic to port 443 we can't be confident it's actually DNS. But, then again, maybe going to an address marked as a DNS server address is good enough? I'm not sure. > We don't have a flexible interface, yet, to finely configure outbound > traffic redirections, so the user couldn't enable or disable this at > will. So I'm wondering if there's any use case that we risk breaking > with that. >=20 > The most confusing case I can think of is a host with a local resolver > with a loopback address (for example, the usual 127.0.0.53 from > systemd-resolved). Without --no-map-gw (or with Podman's --map-gw), we > will, by default, use the address of the default gateway (which maps to > the host) as implied --dns-forward option. >=20 > If we now match on HTTPS as well, HTTPS traffic that's supposed to > reach the host (because there's an HTTPS server there) will anyway reach > the host, even if we mishandle it as DNS traffic somehow. >=20 > So I don't actually see an issue with that, but given that users can't > disable just HTTPS (this should be easier to implement with the flow > table, but it will surely be a while before we get to that), we should > think quite hard if there's any possibility of breakage before going > ahead with it. Yeah, that argument inclines me back towards "no" for DoH, at least for the time being. > > > Link: https://github.com/containers/podman/issues/23239 > > > > > > Signed-off-by: David Gibson =20 > >=20 > > Tested-by: Paul Holzinger > >=20 > > I tested both dns over tcp and dns over tls with dig. >=20 > Thanks! >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --dzOENg+/KxURtDOC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmah2DwACgkQzQJF27ox 2GfG+w/7BaPA5ImWW64khGoM36GhCY/x3VViTBtbdwSyPHFSYdJ06zn6Bca6b1x1 GO05cNAlOalwX+y43qZHe4grHgPES1r1yXJ45cYUQuVjtCLk4+hMOr5jCjRvea8G ZZWFerF+JSjZMWQ9d7kpudNPTA0BCTecs5Bexa1V8wa0lU6OxITPp1AkGSIZ5299 W36CbTp76QHegSQdyl+pV3DecwunoAFb7YkJvJAeFfF4iuJbAe0A3n1VbBujM4+T GAEPNyGfShjy9ZPHJQPEIAzBI8vQSC5v17Vyd4zPRLCS9/vRCoAUFSP+s/CaCO6V se1RrW+w9Wd8ZA6NUXp+PgQFOE1C308sUyIbFpI1nuWI7lX8cEclHTJilcAtrGqV VIE/xKSyzpF1Vp/NacOAyv/yZbqIfSA9qK33hmKteB1Ef+kxD/aGktyjf05oc/kt FWplEA3BMdy3wC4fBZ/GYNZoqXA55SLXYtCNFW5PahXyTBYb8eVHyxnMe7cf/cDy 8W5UvZpGhleK7pLMcVlujObyDcKAZXUsOXIz4DQPleuqxk7+TQ+PY+dFtkVP6KfZ w9nhryK+jkPj0xOgRUu9kCXve0J5ICNe61+I9P7VbXhKU0NfQH/AlvCwPyrPZlFU bKV6oWJeQjwKdeSXzBe0+cEDjXB+h5yGzB74ZoVaumYTYWagY4E= =mIVM -----END PGP SIGNATURE----- --dzOENg+/KxURtDOC--