Add port `53/udp` by default to `netavark_zone` so default networks can use DNS

containers / netavark

Container network stack

Apache License 2.0

512 stars 81 forks source link

Add port `53/udp` by default to `netavark_zone` so default networks can use DNS #1056

Open flouthoc opened 1 month ago

flouthoc commented 1 month ago

It seems on default setups with firewalld DNS is not functional at all, would it make sense to add --zone=netavark_zone --add-port=53/udp ?

Reproducer

Start with default firewalld
```
podman network create test
```

podman run -it --rm --network=test --name ctr1 nicolaka/netshoot bash

Current Output

5b4ecd5adc6e:~# dig ctr1
;; communications error to 10.89.0.1#53: host unreachable
;; communications error to 10.89.0.1#53: host unreachable
;; communications error to 10.89.0.1#53: host unreachable

; <<>> DiG 9.18.25 <<>> ctr1
;; global options: +cmd
;; no servers could be reached

Expected output

Resolution for default networks should work

flouthoc commented 1 month ago

@Luap99 Any thoughts on above ? Maybe we can add --zone=netavark_zone --add-port=53/udp by default or --zone=netavark_zone --add-port=<dns_bind_port>/udp?

Luap99 commented 1 month ago

Is that with using the firewall driver? Because with iptables/nftables we definitely should add the accept rule already.

In general the firewalld driver cannot recommend for use as it is pretty broken (see open issues about firewalld), @mheon is working to fix most of them so I guess this would be another?

flouthoc commented 1 month ago

@Luap99 Yes when using firewalld dns does not works unless i manually add the port/protocol to netavark_zone. I think netavark should do it by default if @mheon is not on it. I can create a patch in spare time.

mheon commented 1 month ago

DNS should already be fixed on my patch, it's just port forwarding that's broken at this point AFAIK.

flouthoc commented 1 month ago

@mheon Is the patch which you are describing is on any of the open PR or merged in recent releases/upstream ?

mheon commented 1 month ago

https://github.com/containers/netavark/pull/885

I really need to push the latest version with the isolation code added, but I still have not worked out the issues with port forwarding. Hopefully soon?

flouthoc commented 1 month ago

Hopefully soon?

Sure I'm not in a rush just asked out of curiosity since I was interested in looking/trying the patch. Please take your time.

Luap99 commented 1 month ago

Although given I added tcp support to aardvark-dns we likely need to check that all rules allow 53 udp and tcp.

flouthoc commented 1 month ago

Although given I added tcp support to aardvark-dns we likely need to check that all rules allow 53 udp and tcp.

I agree if tcp is added then this should support tcp as well.