Re: [PATCH iptables]: xtables: tolerate DNS lookup failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



No, I don't get that behaviour, at least with iptables 1.8.9 to 1.8.11.

I have just checked with "iptables -L".

Allowing or rejecting a given FQDN results in iptables generating as
many allow or reject rules as the number of results returned by the DNS
lookup for that FQDN.

Guido

On Fri, 07/03/2025 at 18.02 +0100, Jan Engelhardt wrote:
> On Friday 2025-03-07 16:46, Guido Trentalancia wrote:
> 
> > I can give you quick example of an hostname which is allocated
> > dynamically in DNS: www.google.com.
> > 
> > If you perform:
> > 
> >  # nslookup www.google.com
> > 
> > then you will obtain a different IP address (or different multiple
> > IP
> > addresses) each time you run the command.
> > 
> > Given the above, any iptables rule for such kind of host will need
> > to
> > use its FQDN instead of a statically allocated numeric IP address.
> 
> In that case of multiple queries returning multiple results (DNS
> roundrobing), using hostnames in firewall rules (with or without
> ignoring lookup errors) is even more wrong than before!
> 
> Because
> 
> 	-s google.com -j ACCEPT/REJECT
> 
> only performs one lookup, it leads to
> 
> * accepting _too few_ hosts, meaning you erroneously reject some
>   google.com connections in subsequent rules,
> * or rejecting *too few* hosts, meaning you erroneously let some
>   connections through in subsequent rules.
> 
> So now we've gone from 100% of the time google.com is not reachable
> to randomly failing half the time attempting to load a search page.
> 




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux