DNS proxy and cascading proxies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HIPL |
New
|
Medium
|
Paul Tötterman |
Bug Description
We discovered a glitch with the current DNS proxy in HIPL that occurs at least in kvm and virtualbox-based virtualized environments. The problem set up requires that both the host (i.e. hypervisor) and the virtual machine both are running the HIP DNS proxy.
Let's say that I query the crossroads.
Solution (from Simon Kelley): if the answer to a A record query is a set of addresses, and one of the addresses is on the same subnet as the query originator, then only that address is returned.
To my experience on kvm, the problem requires only the host (hypervisor) to be running HIP DNS proxy and it having queried the domain name first. The virtual machines' DNS queries are replied with the LSI that the host uses toward that domain.
I have not yet tried this with IPv6 or with HIP Firewall with LSI support activated.