New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DNS matchPattern="*" to match "." #11633
Support DNS matchPattern="*" to match "." #11633
Conversation
test-me-please |
lgtm, but i'm not sure if this was simply an oversight or there was some rationale for not matching this. i guess @raybejjani would know. |
DNS servers may request a list of root nameservers by forming an NS request for ".". We have received reports that when applying a visibility policy with the DNS matchPattern "*", DNS requests of this kind were being dropped in the proxy. Fix this by extending the visibility match "*" to explicitly match on either "[validdnscharacters].", or ".". If the matchPattern is more complicated than simply "*", do not match on ".". Signed-off-by: Joe Stringer <joe@cilium.io>
0f011f8
to
ea739d8
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
based on docs it seems like this is intended behaviour: * alone matches all names, and inserts all cached DNS IPs into this rule.
via https://docs.cilium.io/en/v1.7/policy/language/#dns-based
DNS servers may request a list of root nameservers by forming an NS
request for
.
. We have received reports that when applying avisibility policy with the DNS matchPattern
*
, DNS requests of thiskind were being dropped in the proxy.
Fix this by extending the visibility match
*
to explicitly match oneither
[validdnscharacters].
, or.
. If the matchPattern is morecomplicated than simply
*
, do not match on.
.