This repository has been archived by the owner on Dec 7, 2023. It is now read-only.
Consider disabling DNS resolution for the ignite-spawn container #438
Labels
area/runtime
Issues related to container runtimes
area/security
Issues related to security
good first issue
Good for newcomers
hacktoberfest
help wanted
Extra attention is needed
kind/enhancement
Categorizes issue or PR as related to improving an existing feature.
priority/important-longterm
Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Comments
stealthybox
added
help wanted
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
It's not actually important for any process in the
ignite-spawncontainer to have DNS resolution. This actually increases the attack surface of a vm breakout, as many attacks find control servers and even ex-filtrate data using DNS alone.We should consider making DNS resolution impractical since we have no need for it.
We can load our
dns.ClientConfigfrom a different file in the container.If we do this with a readonly rootfs(#439), it will make attacks less practical.
Containerd, does not configure
/etc/resolv.confby default.For the docker runtime,
--dns 0.0.0.0is one way to effectively disable lookups:docker run -it --rm --dns 0.0.0.0 busybox wget google.com wget: bad address 'google.com'If you disable DNS resolution in docker, you lose out on using the custom dockerd dns resolver.
This resolver is disabled however for the default docker-bridge which is currently our only supported option. We could add logic for this.
The text was updated successfully, but these errors were encountered: