cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wido den Hollander (JIRA)" <>
Subject [jira] [Created] (CLOUDSTACK-9552) KVM Security Groups do now allow DNS over TCP egress
Date Thu, 20 Oct 2016 08:13:58 GMT
Wido den Hollander created CLOUDSTACK-9552:

             Summary: KVM Security Groups do now allow DNS over TCP egress
                 Key: CLOUDSTACK-9552
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: KVM
    Affects Versions: 4.9.0, 4.8.0
         Environment: KVM Basic Networking
            Reporter: Wido den Hollander
            Assignee: Wido den Hollander
             Fix For: Future

When egress filtering is configured all outbound traffic is blocked unless configured otherwise.

With the exception that UDP/53 DNS is allowed implicitly by the Security Groups.

Many DNS responses are larger then 4k, with DNSSEC for example and require TCP to be allowed.

The Security Groups should also allow TCP/53 when egress filtering is configured.

This message was sent by Atlassian JIRA

View raw message