ip6tables breaks dnssec?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

When doing recusive dns queries to dnssec-enbled servers it looks like
ip6tables does not assemble udp packets before filtering takes place.
This results in fragments being dropped.

Here's how to reproduce using bind-9.7.x or bind-9.8.x with fedora 14,
kernel 2.6.35.12-88

1. make /tmp/named./conf
        options {
                directory               "/tmp";
                recursion yes;
                listen-on-v6 { ::1; };
        };

2. start named

        named -6 -c /tmp/named.conf

3. my ip6tables filter

        # cleanup
        ip6tables -P INPUT ACCEPT;
        ip6tables -P OUTPUT ACCEPT;
        for table in $(cat /proc/net/ip6_tables_names); do
                ip6tables -t $table -F; 
                ip6tables -t $table -X;
                ip6tables -t $table -Z;
        done
        
        #accept icmp6
        ip6tables -A INPUT -j ACCEPT -p icmpv6
        ip6tables -A OUTPUT -j ACCEPT -p icmpv6
        
        # accept incoming dns
        ip6tables -A INPUT -j ACCEPT -p udp --dport 53
        ip6tables -A OUTPUT -j ACCEPT -p udp --sport 53
        
        # accept outgoing dns
        ip6tables -A INPUT -j ACCEPT -p udp --sport 53
        ip6tables -A OUTPUT -j ACCEPT -p udp --dport 53
        
        # drop policy
        ip6tables -A INPUT  -j LOG --log-level 6 --log-prefix 'drop in: '
        ip6tables -A OUTPUT -j LOG --log-level 6 --log-prefix 'drop out: '
        ip6tables -P INPUT DROP;
        ip6tables -P OUTPUT DROP;

4. Do a query to a dnssec servers, I use this test-setup:
 https://www.dns-oarc.net/oarc/services/replysizetest

        dig @::1  +short  rs.dns-oarc.net txt

5. The result should be
        'DNS reply size limit is at least 4091', or roundabout 4000

However we see fragments being dropped in the logs and a reply size
just under MTU so I assume no fragments get assembled:

Apr 27 10:43:38 leo kernel: [81648.003267] drop in: IN=eth0 OUT= MAC=00:--:--:--:--:--:--:--:--:--:--:--:--:-- SRC=2001:04f8:0003:02bc:0002:0000:0000:0135 DST=2a02:0458:0101:----:----:----:----:---- LEN=1496 TC=0 HOPLIMIT=56 FLOWLBL=0 FRAG:1448 INCOMPLETE ID:88b59425 PROTO=UDP 
Apr 27 10:43:38 leo kernel: [81648.003289] drop in: IN=eth0 OUT= MAC=00:--:--:--:--:--:--:--:--:--:--:--:--:-- SRC=2001:04f8:0003:02bc:0002:0000:0000:0135 DST=2a02:0458:0101:----:----:----:----:---- LEN=1243 TC=0 HOPLIMIT=56 FLOWLBL=0 FRAG:2896 ID:88b59425 PROTO=UDP 


-- 
Leo Baltus, internetbeheerder                         /\
NPO ICT Internet Services                            /NPO/\
Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \  /\/
beheer@xxxxxxxxx, 035-6773555                         \/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux