[ https://issues.apache.org/jira/browse/CLOUDSTACK-9552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15647026#comment-15647026 ]
ASF subversion and git services commented on CLOUDSTACK-9552: ------------------------------------------------------------- Commit 8ea75f1a85b53908f97a6397637ecb346b821387 in cloudstack's branch refs/heads/master from [~widodh] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8ea75f1 ] CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking Allow DNS queries over TCP when egress filtering is configured. When using DNSSEC more and more queries are done over TCP and this requires 53/TCP to be allowed. Signed-off-by: Wido den Hollander <w...@widodh.nl> > KVM Security Groups do not allow DNS over TCP egress > ---------------------------------------------------- > > Key: CLOUDSTACK-9552 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9552 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: KVM > Affects Versions: 4.8.0, 4.9.0 > Environment: KVM Basic Networking > Reporter: Wido den Hollander > Assignee: Wido den Hollander > Labels: dns, dnssec, security-groups > Fix For: Future > > > When egress filtering is configured all outbound traffic is blocked unless > configured otherwise. > With the exception that UDP/53 DNS is allowed implicitly by the Security > Groups. > Many DNS responses are larger then 4k, with DNSSEC for example and require > TCP to be allowed. > The Security Groups should also allow TCP/53 when egress filtering is > configured. -- This message was sent by Atlassian JIRA (v6.3.4#6332)