Re: DNS forwarding for guest domains on isolated network

On 11/11/20 3:40 AM, Jörg Kastning wrote:

> # My issue > > Nameresolution for *.private1 works fine on this network. But I'm not > able to resolve domains from the outside world like github.com. This behavior is intentional:   https://gitlab.com/libvirt/libvirt/-/commit/513122ae93 > > I understood that libvirt is forwarding dns resolution requests to the > hosts nameserver configured in /etc/resolv.conf in case the dnsmasq > instance for the virtual network is not able to resolve the name. Not for isolated networks, because a DNS request could be used to break out of an isolated network (by using "IP over DNS") > > My guess, in my setup this don't work, because the virtual switch is > in isolated mode, right? When DNS traffic is forwarded by a DNS server, it is at application level, not IP level, so any filtering of forwarded traffic on the switch is not involved. > > # My questions > >   * What can I do to achieve my use case described above? > >   * Is it possible to use the isolated mode here or do I have to use a > different mode? "no-resolv" will always be in the dnsmasq config file for an isolated network, and there isn't any way to remove it (other than using a different kind of network). And since there is not (as far as I know) a different dnsmasq option to counteract a "no-resolv" that's already there, you can't eliminate the effect of no-resolv by adding something to the conf file with <dnsmasq:options>. A few things to try: 1) try adding <forwarder addr='x.x.x.x'/> in the the <dns> section of the network, pointing to your normal DNS server. Possibly that directive to dnsmasq will make a "side run" around the restriction on forwarding. (this can also have "domain='blah'" added, in which case it only forwards requests for names within the 'blah' domain ).    https://libvirt.org/formatnetwork.html#elementsAddress 2) use a <forward mode='route'> network, but also add in nwfilter rules that only allow traffic on the local network.    https://libvirt.org/formatnwfilter.html 3) again, use <forward mode='route'>, but also manually add a rule to the host iptables that rejects all traffic from the guest network outbound on the host's egress interface. > It's important that the guest domains could only connect to the > internet by using the proxy. Have you tried putting the guests