cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhinandan Prateek (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-4675) Virtual Router only with DHCP should not have DNS service
Date Mon, 08 Dec 2014 09:44:12 GMT


Abhinandan Prateek commented on CLOUDSTACK-4675:

cloud-early-config is the one configuring the services on VR, this will override conf changes
to dnsmasq. 

> Virtual Router only with DHCP should not have DNS service
> ---------------------------------------------------------
>                 Key: CLOUDSTACK-4675
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.1.1
>            Reporter: France
> When one creates a virtual router using only DHCP as service one gets also DNS service,
because dnsmasq.conf service has DNS service enabled. It can be disabled by setting port=0,
but it's not.
> This assumption that there is no open recursive DNS service present, can lead user to
exposing open resursive DNS server to untrusted hosts, which then abuse it for DNS amplification
> Please actually disable DNS service, if it's not selected when creating network offering.
> As a workaround i've added below commands to rc.local. Fix directly dnsmasql.conf gets
reverted by some cloud init scripts.
> iptables -I INPUT -p udp --dport 53 -j DROP
> iptables -I INPUT -p tcp --dport 53 -j DROP

This message was sent by Atlassian JIRA

View raw message