I can give you quick example of an hostname which is allocated dynamically in DNS: www.google.com. If you perform: # nslookup www.google.com then you will obtain a different IP address (or different multiple IP addresses) each time you run the command. Given the above, any iptables rule for such kind of host will need to use its FQDN instead of a statically allocated numeric IP address. I hope this clarifies the matter. Regards, Guido On Fri, 07/03/2025 at 16.24 +0100, Guido Trentalancia wrote: > Of course, if the DNS is not available the "evil hacker" rule is > skipped when this patch is merged. > > However the drawbacks of not applying this patch are far worse, > because > if the DNS is not available and some rules in the table contain > domain > names, then all rules are skipped and the operation is aborted even > for > numeric IP addresses and resolvable names. > > Finally, consider that nowadays many host names are allocated > dynamically and therefore for several hosts it is not possible to > enter > their numeric IP address. > > I hope this helps... > > Guido > > On Fri, 07/03/2025 at 15.07 +0100, Jan Engelhardt wrote: > > On Friday 2025-03-07 14:42, Guido Trentalancia wrote: > > > > > libxtables: tolerate DNS lookup failures > > > > > > Do not abort on DNS lookup failure, just skip the > > > rule and keep processing the rest of the rules. > > > > > > This is particularly useful, for example, when > > > iptables-restore is called at system bootup > > > before the network is up and the DNS can be > > > reached. > > > > Not a good idea. Given > > > > -F INPUT > > -P INPUT ACCEPT > > -A INPUT -s evil.hacker.com -j REJECT > > -A INPUT -j ACCEPT > > > > if you skip the rule, you now have a questionable hole in your > > security. > > > >
