Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I can give you quick example of an hostname which is allocated
dynamically in DNS: www.google.com.

If you perform:

  # nslookup www.google.com

then you will obtain a different IP address (or different multiple IP
addresses) each time you run the command.

Given the above, any iptables rule for such kind of host will need to
use its FQDN instead of a statically allocated numeric IP address.

I hope this clarifies the matter.

Regards,

Guido

On Fri, 07/03/2025 at 16.24 +0100, Guido Trentalancia wrote:
> Of course, if the DNS is not available the "evil hacker" rule is
> skipped when this patch is merged.
> 
> However the drawbacks of not applying this patch are far worse,
> because
>  if the DNS is not available and some rules in the table contain
> domain
> names, then all rules are skipped and the operation is aborted even
> for
> numeric IP addresses and resolvable names.
> 
> Finally, consider that nowadays many host names are allocated
> dynamically and therefore for several hosts it is not possible to
> enter
> their numeric IP address.
> 
> I hope this helps...
> 
> Guido
> 
> On Fri, 07/03/2025 at 15.07 +0100, Jan Engelhardt wrote:
> > On Friday 2025-03-07 14:42, Guido Trentalancia wrote:
> > 
> > > libxtables: tolerate DNS lookup failures
> > > 
> > > Do not abort on DNS lookup failure, just skip the
> > > rule and keep processing the rest of the rules.
> > > 
> > > This is particularly useful, for example, when
> > > iptables-restore is called at system bootup
> > > before the network is up and the DNS can be
> > > reached.
> > 
> > Not a good idea. Given
> > 
> > 	-F INPUT
> > 	-P INPUT ACCEPT
> > 	-A INPUT -s evil.hacker.com -j REJECT
> > 	-A INPUT -j ACCEPT
> > 
> > if you skip the rule, you now have a questionable hole in your
> > security.
> > 
> 
> 




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux