-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shall we lookup host's /etc/hosts before forwarding other request to host's /etc/resolv.conf? #213
Comments
This sounds like an information leak - would allow containers to see information about the host that they otherwise could not. Potentially a security risk, so I'm rather leery about allowing it. |
I would tend to agree with you @mheon ... we have no way to programmatically determine intent. |
Thanks @mheon @baude for your response.
Due to the implementation of Nginx, when it uses |
Any update on this issue? Alternatively, is it possible to introduce a new command line option to |
1 and 2 can be configured by users, we do such a leak by default but it can be changed via podman options so doing unconditionally in aardvark-dns could break that promise. Adding this behind an opt-in option is possible but I would still see this as a rather unique use case. If you are already using systemd-resolved then that should already lookup /etc/hosts by default (https://www.freedesktop.org/software/systemd/man/resolved.conf.html#ReadEtcHosts=). This is the default on fedora and on my system it seems to work like you want with that. |
This is kind of a requirement.
From host's POV, usually it looks up /etc/hosts firstly, then send request to /etc/resolv.conf.
Similarly, from container's POV, it looks up /etc/hosts firstly, then send request to aardvark-dns.
Ideally aardvark-dns should look up its own config file first, then look up host's /etc/hosts, then forward request to host's /etc/resolv.conf.
Especially for Non-DNS users, they don't configure /etc/resolv.conf but just add some entries in /etc/hosts in host.
Adding such logic of looking up host's /etc/hosts before forwarding request to host's /etc/resolv.conf would benefit those Non-DNS users.
The text was updated successfully, but these errors were encountered: