On Wed, Jul 24, 2024 at 04:30:50PM +0200, Stefano
Brivio wrote:
On Wed, 24 Jul 2024 11:41:44 +0200
Paul Holzinger <pholzing(a)redhat.com> wrote:
> Hi,
>
> On 24/07/2024 09:51, David Gibson wrote:
>> passt/pasta has options to redirect DNS requests from the guest to a
>> different server address on the host side. Currently, however, only UDP
>> packets to port 53 are considered "DNS requests". This ignores DNS
>> requests over TCP - less common, but certainly possible. It also ignores
>> encrypted DNS requests on port 853.
>>
>> Extend the DNS forwarding logic to handle both of those cases.
> The question here is if it handles DoT should it handle DoH as well,
> i.e. https (443)?
My first inclination was, no, because for traffic to port
443 we can't
be confident it's actually DNS. But, then again, maybe going to an
address marked as a DNS server address is good enough? I'm not sure.
We don't have a flexible interface, yet, to
finely configure outbound
traffic redirections, so the user couldn't enable or disable this at
will. So I'm wondering if there's any use case that we risk breaking
with that.
The most confusing case I can think of is a host with a local resolver
with a loopback address (for example, the usual 127.0.0.53 from
systemd-resolved). Without --no-map-gw (or with Podman's --map-gw), we
will, by default, use the address of the default gateway (which maps to
the host) as implied --dns-forward option.
If we now match on HTTPS as well, HTTPS traffic that's supposed to
reach the host (because there's an HTTPS server there) will anyway reach
the host, even if we mishandle it as DNS traffic somehow.
So I don't actually see an issue with that, but given that users can't
disable just HTTPS (this should be easier to implement with the flow
table, but it will surely be a while before we get to that), we should
think quite hard if there's any possibility of breakage before going
ahead with it.
Yeah, that argument inclines me back towards "no" for
DoH, at least
for the time being.
>>> Link:
https://github.com/containers/podman/issues/23239
>>>
>>> Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
>> Tested-by: Paul Holzinger <pholzing(a)redhat.com>
>>
>> I tested both dns over tcp and dns over tls with dig.
> Thanks!
>