Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add port 53/udp by default to netavark_zone so default networks can use DNS #1056

Open
flouthoc opened this issue Aug 12, 2024 · 9 comments
Open

Add port 53/udp by default to netavark_zone so default networks can use DNS #1056

flouthoc opened this issue Aug 12, 2024 · 9 comments

Comments

@flouthoc
Copy link
Collaborator

It seems on default setups with firewalld DNS is not functional at all, would it make sense to add --zone=netavark_zone --add-port=53/udp ?

Reproducer

  • Start with default firewalld
podman network create test

podman run -it --rm --network=test --name ctr1 nicolaka/netshoot bash

Current Output

5b4ecd5adc6e:~# dig ctr1
;; communications error to 10.89.0.1#53: host unreachable
;; communications error to 10.89.0.1#53: host unreachable
;; communications error to 10.89.0.1#53: host unreachable

; <<>> DiG 9.18.25 <<>> ctr1
;; global options: +cmd
;; no servers could be reached

Expected output

Resolution for default networks should work
@flouthoc
Copy link
Collaborator Author

flouthoc commented Aug 12, 2024
edited
Loading

@Luap99 Any thoughts on above ? Maybe we can add --zone=netavark_zone --add-port=53/udp by default or --zone=netavark_zone --add-port=<dns_bind_port>/udp?

@Luap99
Copy link
Member

Luap99 commented Aug 12, 2024

Is that with using the firewall driver? Because with iptables/nftables we definitely should add the accept rule already.

In general the firewalld driver cannot recommend for use as it is pretty broken (see open issues about firewalld), @mheon is working to fix most of them so I guess this would be another?

@flouthoc
Copy link
Collaborator Author

flouthoc commented Aug 12, 2024
edited
Loading

@Luap99 Yes when using firewalld dns does not works unless i manually add the port/protocol to netavark_zone. I think netavark should do it by default if @mheon is not on it. I can create a patch in spare time.

@mheon
Copy link
Member

mheon commented Aug 12, 2024

DNS should already be fixed on my patch, it's just port forwarding that's broken at this point AFAIK.

@flouthoc
Copy link
Collaborator Author

@mheon Is the patch which you are describing is on any of the open PR or merged in recent releases/upstream ?

@mheon
Copy link
Member

mheon commented Aug 12, 2024

#885

I really need to push the latest version with the isolation code added, but I still have not worked out the issues with port forwarding. Hopefully soon?

@flouthoc
Copy link
Collaborator Author

Hopefully soon?

Sure I'm not in a rush just asked out of curiosity since I was interested in looking/trying the patch. Please take your time.

@Luap99
Copy link
Member

Luap99 commented Aug 13, 2024

Although given I added tcp support to aardvark-dns we likely need to check that all rules allow 53 udp and tcp.

@flouthoc
Copy link
Collaborator Author

Although given I added tcp support to aardvark-dns we likely need to check that all rules allow 53 udp and tcp.

I agree if tcp is added then this should support tcp as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mheon @flouthoc @Luap99