Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 2025-03-07 16:46, Guido Trentalancia wrote:

>I can give you quick example of an hostname which is allocated
>dynamically in DNS: www.google.com.
>
>If you perform:
>
>  # nslookup www.google.com
>
>then you will obtain a different IP address (or different multiple IP
>addresses) each time you run the command.
>
>Given the above, any iptables rule for such kind of host will need to
>use its FQDN instead of a statically allocated numeric IP address.

In that case of multiple queries returning multiple results (DNS
roundrobing), using hostnames in firewall rules (with or without
ignoring lookup errors) is even more wrong than before!

Because

	-s google.com -j ACCEPT/REJECT

only performs one lookup, it leads to

* accepting _too few_ hosts, meaning you erroneously reject some
  google.com connections in subsequent rules,
* or rejecting *too few* hosts, meaning you erroneously let some
  connections through in subsequent rules.

So now we've gone from 100% of the time google.com is not reachable
to randomly failing half the time attempting to load a search page.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux