[jira] [Created] (CLOUDSTACK-9552) KVM Security Groups do now allow DNS over TCP egress

Wido den Hollander (JIRA) Thu, 20 Oct 2016 01:14:15 -0700

Wido den Hollander created CLOUDSTACK-9552:
----------------------------------------------


             Summary: KVM Security Groups do now allow DNS over TCP egress
                 Key: CLOUDSTACK-9552
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9552
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: KVM
    Affects Versions: 4.9.0, 4.8.0
         Environment: KVM Basic Networking
            Reporter: Wido den Hollander
            Assignee: Wido den Hollander
             Fix For: Future


When egress filtering is configured all outbound traffic is blocked unless 
configured otherwise.

With the exception that UDP/53 DNS is allowed implicitly by the Security Groups.

Many DNS responses are larger then 4k, with DNSSEC for example and require TCP 
to be allowed.

The Security Groups should also allow TCP/53 when egress filtering is 
configured.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (CLOUDSTACK-9552) KVM Security Groups do now allow DNS over TCP egress

Reply via email to