Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38735

DNS Egress firewall should remove address_set entries after some time

XMLWordPrintable

    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Based on customer feedback it doesn't appear that OVN address_set gets IPs corresponding to at least DNS wildcard lookups removed after some time. This means the set can grow unbounded if the IP addresses change over time.    

      Version-Release number of selected component (if applicable):

          4.16.8

      How reproducible:

          100%

      Steps to Reproduce:

      1. Create an EgressFirewallDNS entry for *.webhook.office.com
      2. Repeatedly connect to that host to populate entries
      3. Stop accessing that host
          

      Actual results:

      address_set items never expire    

      Expected results:

      address_set items should expire after some reasonable timeframe or possibly at the TTL received when looking up the hostname?

      Additional info:

      Should there be an option to set maximum number of entries so that an errant DNS entry doesn't allow someone to create DoS scenarios by yielding billions of address_set entries?
      
      Need to also ensure that when/if we remove entries due to expiry there are no active connections to those IP addresses, considering that some connections may be long lived. TTL may not be the best value, because it may be too short.
      
      Also, some dns servers don't provide all answers on each query.
      
      Maybe this needs to be configured per hostname or per cluster, ie: 1 hour timeout if it's not been refreshed. Based on maximum duration for long lived connections given a specific use case.

            npinaeva@redhat.com Nadia Pinaeva
            rhn-support-sdodson Scott Dodson
            Melvin Joseph Melvin Joseph
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: