Default-dns method using host resolv.conf can leak internal names to VM

Bug #1738753 reported by Sergey Matov
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
In Progress
Sergey Matov

Bug Description


If default-dns used as network dns method we are using /etc/resolv.conf file of corresponding host in order to fetch nameservers list as forwarders for requests. In several cases this might be a security issue if internal DNS of compute node configured to serve internal names resolution.

Steps to reproduce:
0. If there is any interlan DNS running inside management network of cluster/cloud find a domain name that is visible only via this network OR can be visible via external world but "nslookup <name>" and "nslookup <name>" shows different IP in response
1. Setup default-dns method for network
2. Boot VM
3. Run nslookup to server defined in step 0
4. Response will show internal address.

For public cloud providers it's might be not good to let users having this kind of information.

Sergey Matov (smatov)
information type: Proprietary → Public
Changed in juniperopenstack:
assignee: nobody → Sergey Matov (smatov)
Jeba Paulaiyan (jebap)
tags: added: config
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for
Submitter: Sergey Matov (<email address hidden>)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers