HIPL

DNS proxy and cascading proxies

Bug #1186854 reported by Miika Komu on 2013-06-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HIPL	New	Medium	Paul Tötterman

Bug Description

We discovered a glitch with the current DNS proxy in HIPL that occurs at least in kvm and virtualbox-based virtualized environments. The problem set up requires that both the host (i.e. hypervisor) and the virtual machine both are running the HIP DNS proxy.

Let's say that I query the crossroads.infrahip.net (that has HIP records) first on the host machine and then on the virtual machine. The host does it's HIP translation magic correctly. However, the virtual machine then receives the already translated A/AAAA records from the host machine because it is using the host as a "cascading" DNS proxy. This prevents the HIP proxy running on the virtual machine to correctly discover the routable IP address of the server.

Solution (from Simon Kelley): if the answer to a A record query is a set of addresses, and one of the addresses is on the same subnet as the query originator, then only that address is returned.

Revision history for this message

Pupu Toivonen (scolphoy) wrote on 2013-06-03:

To my experience on kvm, the problem requires only the host (hypervisor) to be running HIP DNS proxy and it having queried the domain name first. The virtual machines' DNS queries are replied with the LSI that the host uses toward that domain.

I have not yet tried this with IPv6 or with HIP Firewall with LSI support activated.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.