Bug 723862
| Summary: | "isolated" network is not actually isolated due to dns-tunneling via dnsmasq | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | nizamov.shawkat | ||||||
| Component: | libvirt | Assignee: | Laine Stump <laine> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.2 | CC: | dallan, dyuan, mzhan, rwu, veillard, whuang, xhu | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | libvirt-0.9.4-1.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-12-06 11:17:30 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
nizamov.shawkat
2011-07-21 12:14:28 UTC
Rather than disabling dnsmasq, how about just isolating its DNS server? If we run dnsmasq with --no-resolv, it will then satisfy dns requests for names that it knows about (via static host entries in the <dhcp> section, host entries in the <dns> section, and host names learned from clients), but it will not forward any requests for unknown names to any other DNS server - it will just return failures for those requests. This will allow interested parties to setup fully functional isolated environments without needing a separate DNS server. If you are asking my opinion, then, yes - disabling DNS requests forwarding for isolated networks is really a much better and simpler solution. A fix for this problem has been pushed to libvirt's upstream git repository, and will be included in the upcoming release 0.9.4:
commit 513122ae93be9e21fd809a100580ce6fbb4e0ba5
Author: Laine Stump <laine>
Date: Fri Jul 29 15:42:04 2011 -0400
network: don't forward DNS requests from isolated networks
Reproduced this bug with libvirt-0.8.3-8.el6.
# virsh net-dumpxml br1
<network>
<name>br1</name>
<uuid>bd74236a-34ce-aa65-bcad-22d197632f9d</uuid>
<bridge name='br1' stp='on' delay='0' />
<mac address='52:54:00:24:1B:77'/>
<ip address='192.168.144.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.144.2' end='192.168.144.254' />
</dhcp>
</ip>
</network>
# ps aux|grep dnsmasq
nobody 31984 0.0 0.0 12940 596 ? S 02:59 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/br1.pid --conf-file= --except-interface lo --dhcp-option=3 --listen-address 192.168.144.1 --dhcp-range 192.168.144.2,192.168.144.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/br1.leases --dhcp-lease-max=253 --dhcp-no-override
ping google.com in guest.
catch the pkgs
# tcpdump -i br1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes
03:09:40.163516 IP 192.168.144.43.36522 > 192.168.144.1.domain: 60838+ A? google.com. (28)
03:09:40.163849 ARP, Request who-has 192.168.144.43 tell 192.168.144.1, length 28
03:09:40.164031 ARP, Reply 192.168.144.43 is-at 52:54:00:81:9c:88 (oui Unknown), length 28
03:09:40.164037 IP 192.168.144.1.domain > 192.168.144.43.36522: 60838 6/0/0 A 74.125.93.105, A 74.125.93.104, A 74.125.93.103, A 74.125.93.99, A 74.125.93.147, A 74.125.93.106 (124)
Verified PASS with libvirt-0.9.4-1.el6, all dns query is refused.
qemu-kvm-0.12.1.2-2.176.el6
kernel-2.6.32-176.el6
# ps aux|grep dnsmasq
nobody 30549 0.0 0.0 12940 568 ? S 02:48 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/br1.pid --conf-file= --except-interface lo --dhcp-option=3 --no-resolv --listen-address 192.168.144.1 --dhcp-range 192.168.144.2,192.168.144.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/br1.leases --dhcp-lease-max=253 --dhcp-no-override
ping google.com in guest.
# tcpdump -i br1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br1, link-type EN10MB (Ethernet), capture size 65535 bytes
03:29:13.122275 IP 192.168.144.43.45622 > 192.168.144.1.domain: 34185+ A? google.com. (28)
03:29:13.122368 IP 192.168.144.1.domain > 192.168.144.43.45622: 34185 Refused 0/0/0 (28)
03:29:13.122526 IP 192.168.144.43.42169 > 192.168.144.1.domain: 34185+ A? google.com. (28)
03:29:13.122561 IP 192.168.144.1.domain > 192.168.144.43.42169: 34185 Refused 0/0/0 (28)
03:29:13.122732 IP 192.168.144.43.36311 > 192.168.144.1.domain: 38270+ A? google.com.localdomain. (40)
03:29:13.122757 IP 192.168.144.1.domain > 192.168.144.43.36311: 38270 Refused 0/0/0 (40)
03:29:13.122840 IP 192.168.144.43.49294 > 192.168.144.1.domain: 38270+ A? google.com.localdomain. (40)
03:29:13.122856 IP 192.168.144.1.domain > 192.168.144.43.49294: 38270 Refused 0/0/0 (40)
03:29:18.121576 ARP, Request who-has 192.168.144.43 tell 192.168.144.1, length 28
03:29:18.121708 ARP, Reply 192.168.144.43 is-at 52:54:00:81:9c:88 (oui Unknown), length 28
Created attachment 516835 [details]
tcpdump for libvirt-0.9.3-8.el6
Created attachment 516836 [details]
tcpdump for libvirt-0.9.4-1.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html |