cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6432) Prevent VR from response to DNS request from outside of network
Date Fri, 26 Aug 2016 18:11:21 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15439487#comment-15439487
] 

ASF GitHub Bot commented on CLOUDSTACK-6432:
--------------------------------------------

GitHub user rhtyd reopened a pull request:

    https://github.com/apache/cloudstack/pull/1663

    CLOUDSTACK-6432: Prevent DNS reflection attacks

    CLOUDSTACK-6432: Prevent DNS reflection attacks
        
        DNS on VR should not be publically accessible as it may be prone to DNS
        amplification/reflection attacks. This fixes the issue by only allowing VR
        DNS (port 53) to be accessible from guest network cidr, as per the fix in:
        https://issues.apache.org/jira/browse/CLOUDSTACK-6432
        
        - Only allows guest network cidrs to query VR DNS on port 53.
        - Includes marvin smoke test that checks the VR DNS accessibility checks from
          guest and non-guest network.
        - Fixes Marvin sshClient to avoid using ssh agent when password is provided,
          previous some environments may have seen 'No existing session' exception without
          this fix.
        - Adds a new dnspython dependency that is used to perform dns resolutions in the
          tests.
    
    Due to repository commit issues I've created this PR, based on #1653 .
    
    /cc @jburwell @karuturi @NuxRo @ustcweizhou @wido  and others

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shapeblue/cloudstack 4.9-dnsreflection-attack

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1663.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1663
    
----
commit 3f588c3f85c64d89cd3e071854655ae475826ad5
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Date:   2016-08-22T09:31:41Z

    CLOUDSTACK-6432: Prevent DNS reflection attacks
    
    DNS on VR should not be publically accessible as it may be prone to DNS
    amplification/reflection attacks. This fixes the issue by only allowing VR
    DNS (port 53) to be accessible from guest network cidr, as per the fix in:
    https://issues.apache.org/jira/browse/CLOUDSTACK-6432
    
    - Only allows guest network cidrs to query VR DNS on port 53.
    - Includes marvin smoke test that checks the VR DNS accessibility checks from
      guest and non-guest network.
    - Fixes Marvin sshClient to avoid using ssh agent when password is provided,
      previous some environments may have seen 'No existing session' exception without
      this fix.
    - Adds a new dnspython dependency that is used to perform dns resolutions in the
      tests.
    
    Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

----


> Prevent VR from response to DNS request from outside of network
> ---------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6432
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6432
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.4.0, 4.5.0
>            Reporter: Sheng Yang
>            Assignee: Sheng Yang
>             Fix For: 4.4.0, 4.5.0
>
>
> In basic and shared network, VR use private network nic for dhcp/dns services. But if
private network is on the internet as well, it would make VR facing outside network.
> We would restrain the VR DNS service inside CloudStack managed network.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message