From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 31C1E5A004E
	for <passt-dev@passt.top>; Thu, 25 Jul 2024 10:39:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1721896783;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ChPwCtE+k+l0iHkYU9pCuMShyomWDMcU4D0raDdO+Dc=;
	b=WzrvguHGL4Apr8z0VhF/EiZwmUvEihuzcX5HfdmCPo2yWv8CUiOvx+11jPBy7ubedbQH0P
	GMJQsk4ZQjgcBmnCPZUyNXBuaEArkREOSV3V9ToBf/GO2cbVk75J5HMDUvMwyIzm1uGyyT
	xLSOEbBhLVfIBLiJD8ClPzxHxkZjjQE=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-178-7SlaX5NBPCWLpruBRmAYhw-1; Thu, 25 Jul 2024 04:39:41 -0400
X-MC-Unique: 7SlaX5NBPCWLpruBRmAYhw-1
Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-42808063c0cso1676495e9.3
        for <passt-dev@passt.top>; Thu, 25 Jul 2024 01:39:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721896780; x=1722501580;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ChPwCtE+k+l0iHkYU9pCuMShyomWDMcU4D0raDdO+Dc=;
        b=gNI+AxjL1p+A6+hZY7/O4eKP/IYhShbfulsDKntnDyrIg7vxll2NIm1qVFket41/cN
         +TrJZ1DIy8dIXQQAxS0eP5VK9bCGGcg4zfy/OsEM36I15m9QvaSHMnxWo4Cx4lPDyrX3
         36kak14MkmKinyJHGQDEQTAl0aSG+hofzVyKkG4XiV2F7ASxEDSGxxunAZnWRyQduWmA
         BZTbENTxz9u6f5antvXAQZaOefUIrW7SKkdAby32LOG+FkHR38WGPxhrAwAxXcTh6S+q
         e9dlF/kk/JcsVxDNA6ffPyRJPuBuZchg+wFj2A4EvYTxiUq1/3lZNwkQfXLo+7IEpv6k
         C0/w==
X-Gm-Message-State: AOJu0YyuxK9fm5SrHOmfDS9yfQAng4pvL0pseckLVNFVhZrpZK6dTwR+
	fojxz0m3sGzBSm7/hzKlqrwVvIR9vcARkMdeQMo4UqjyTvNSNM0+rHxZmE1rhsp+aThEwfWSfMV
	R2QARC4w8gcgL6zSEY8STHT2vtqXSZ7vyiTHJmvatN/8dmmyk+Q==
X-Received: by 2002:a05:600c:1c99:b0:426:6c70:dd9c with SMTP id 5b1f17b1804b1-42806bfdb9bmr9227155e9.31.1721896779756;
        Thu, 25 Jul 2024 01:39:39 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHBuG9B86etcP3a9jGSqLzPoeS5OjWDb3dakC2DmwhlK9O7Eu2dLUS/vzyw4vshFHcYEndteQ==
X-Received: by 2002:a05:600c:1c99:b0:426:6c70:dd9c with SMTP id 5b1f17b1804b1-42806bfdb9bmr9227005e9.31.1721896779370;
        Thu, 25 Jul 2024 01:39:39 -0700 (PDT)
Received: from [192.168.188.25] ([80.243.52.134])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-36b36861b05sm1351770f8f.94.2024.07.25.01.39.38
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 25 Jul 2024 01:39:39 -0700 (PDT)
Message-ID: <b51e8bfe-097e-42f1-9e10-1c5f9b09673c@redhat.com>
Date: Thu, 25 Jul 2024 10:39:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2 2/2] fwd: Broaden what we consider for DNS specific
 forwarding rules
To: David Gibson <david@gibson.dropbear.id.au>,
 Stefano Brivio <sbrivio@redhat.com>
References: <20240724075112.1279868-1-david@gibson.dropbear.id.au>
 <20240724075112.1279868-3-david@gibson.dropbear.id.au>
 <9c98f64f-9c71-4f98-8d37-8456c85e89f6@redhat.com>
 <20240724163050.006103bf@elisabeth> <ZqHYPQqvFEMJFgfS@zatzit>
From: Paul Holzinger <pholzing@redhat.com>
In-Reply-To: <ZqHYPQqvFEMJFgfS@zatzit>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID-Hash: VOLSSMO2AQ3W522Q7IVORMQ66SGOFD4A
X-Message-ID-Hash: VOLSSMO2AQ3W522Q7IVORMQ66SGOFD4A
X-MailFrom: pholzing@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/b51e8bfe-097e-42f1-9e10-1c5f9b09673c@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/VOLSSMO2AQ3W522Q7IVORMQ66SGOFD4A/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


On 25/07/2024 06:44, David Gibson wrote:
> On Wed, Jul 24, 2024 at 04:30:50PM +0200, Stefano Brivio wrote:
>> On Wed, 24 Jul 2024 11:41:44 +0200
>> Paul Holzinger <pholzing@redhat.com> wrote:
>>
>>> Hi,
>>>
>>> On 24/07/2024 09:51, David Gibson wrote:
>>>> passt/pasta has options to redirect DNS requests from the guest to a
>>>> different server address on the host side.  Currently, however, only UDP
>>>> packets to port 53 are considered "DNS requests".  This ignores DNS
>>>> requests over TCP - less common, but certainly possible.  It also ignores
>>>> encrypted DNS requests on port 853.
>>>>
>>>> Extend the DNS forwarding logic to handle both of those cases.
>>> The question here is if it handles DoT should it handle DoH as well,
>>> i.e. https (443)?
> My first inclination was, no, because for traffic to port 443 we can't
> be confident it's actually DNS.  But, then again, maybe going to an
> address marked as a DNS server address is good enough?  I'm not sure.
>
>> We don't have a flexible interface, yet, to finely configure outbound
>> traffic redirections, so the user couldn't enable or disable this at
>> will. So I'm wondering if there's any use case that we risk breaking
>> with that.
>>
>> The most confusing case I can think of is a host with a local resolver
>> with a loopback address (for example, the usual 127.0.0.53 from
>> systemd-resolved). Without --no-map-gw (or with Podman's --map-gw), we
>> will, by default, use the address of the default gateway (which maps to
>> the host) as implied --dns-forward option.
>>
>> If we now match on HTTPS as well, HTTPS traffic that's supposed to
>> reach the host (because there's an HTTPS server there) will anyway reach
>> the host, even if we mishandle it as DNS traffic somehow.
>>
>> So I don't actually see an issue with that, but given that users can't
>> disable just HTTPS (this should be easier to implement with the flow
>> table, but it will surely be a while before we get to that), we should
>> think quite hard if there's any possibility of breakage before going
>> ahead with it.
> Yeah, that argument inclines me back towards "no" for DoH, at least
> for the time being.
Ok, I agree.
>
>>>> Link: https://github.com/containers/podman/issues/23239
>>>>
>>>> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
>>> Tested-by: Paul Holzinger <pholzing@redhat.com>
>>>
>>> I tested both dns over tcp and dns over tls with dig.
>> Thanks!
>>
-- 
Paul Holzinger