cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-6432) Prevent VR from response to DNS request from outside of network
Date Tue, 30 Aug 2016 17:15:20 GMT


ASF subversion and git services commented on CLOUDSTACK-6432:

Commit 14504dc7e3ef6ba5f63b39ecd7454498263cf66a in cloudstack's branch refs/heads/master from
[;h=14504dc ]

CLOUDSTACK-6432: Prevent DNS reflection attacks

DNS on VR should not be publically accessible as it may be prone to DNS
amplification/reflection attacks. This fixes the issue by only allowing VR
DNS (port 53) to be accessible from guest network cidr, as per the fix in:

- Only allows guest network cidrs to query VR DNS on port 53.
- Includes marvin smoke test that checks the VR DNS accessibility checks from
  guest and non-guest network.
- Fixes Marvin sshClient to avoid using ssh agent when password is provided,
  previous some environments may have seen 'No existing session' exception without
  this fix.
- Adds a new dnspython dependency that is used to perform dns resolutions in the

Signed-off-by: Rohit Yadav <>

> Prevent VR from response to DNS request from outside of network
> ---------------------------------------------------------------
>                 Key: CLOUDSTACK-6432
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.4.0, 4.5.0
>            Reporter: Sheng Yang
>            Assignee: Sheng Yang
>             Fix For: 4.4.0, 4.5.0
> In basic and shared network, VR use private network nic for dhcp/dns services. But if
private network is on the internet as well, it would make VR facing outside network.
> We would restrain the VR DNS service inside CloudStack managed network.

This message was sent by Atlassian JIRA

View raw message