dnsproxy: Do not use original source when not possible

Do not use original source for server running in the local node, or when the destination is outside of the cluster, as there is a risk of missing masquarade on the upstream connection. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme · Jan 10, 2024 · 824e969 · 824e969
1 parent 94f6553
commit 824e969
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/pkg/fqdn/dnsproxy/proxy.go b/pkg/fqdn/dnsproxy/proxy.go
@@ -1010,8 +1010,8 @@ func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg) {
 
 	var key string
 	// Do not use original source address if the source is known to be in the host networking
-	// namespace
-	if !ep.IsHost() && !epAddr.IsLoopback() {
+	// namespace, or the destination is known to be outside of the cluster, or is the local host
+	if !ep.IsHost() && !epAddr.IsLoopback() && ep.ID != uint16(identity.ReservedIdentityHost) && targetServerID.IsCluster() && targetServerID != identity.ReservedIdentityHost {
 		dialer.LocalAddr = w.RemoteAddr()
 		key = protocol + "-" + epIPPort + "-" + targetServerAddrStr
 	}

diff --git a/pkg/identity/numericidentity.go b/pkg/identity/numericidentity.go
@@ -656,3 +656,13 @@ func (id NumericIdentity) IsWorld() bool {
 	return option.Config.IsDualStack() &&
 		(id == ReservedIdentityWorldIPv4 || id == ReservedIdentityWorldIPv6)
 }
+
+// IsCluster returns true if the identity is a cluster identity by excluding all
+// identities that are known to be non-cluster identities.
+// NOTE: keep this and bpf identity_is_cluster() in sync!
+func (id NumericIdentity) IsCluster() bool {
+	if id.IsWorld() || id.HasLocalScope() {
+		return false
+	}
+	return true
+}