Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add standard for DNS #570

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Add standard for DNS #570

wants to merge 17 commits into from

Conversation

markus-hentsch
Copy link
Contributor

No description provided.

@markus-hentsch markus-hentsch added the SCS-VP10 Related to tender lot SCS-VP10 label Apr 18, 2024
@markus-hentsch markus-hentsch linked an issue Apr 18, 2024 that may be closed by this pull request
9 tasks
Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved

- One or more local DNS recursors SHOULD be integrated into the infrastructure and the `dnsmasq_dns_server` setting SHOULD point to the local DNS recursor(s) only.
- Any local DNS recursor referenced by the `dnsmasq_dns_server` setting MUST implement DNSSEC validation.
- If the cloud infrastructure has any provider networks connected to the internet, then the `dnsmasq_dns_server` entries MUST contain DNS servers (recursors or resolvers) that can resolve public DNS records.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should discuss how to handle clouds where provider networks use different root zones.

An example scenario: An on-premise setup where one provider network is connected to the internet (and uses the public root zone) has a second provider network which is connected to the company intranet. That intranet is isolated from the internet and uses an alt-root for internal name resolution.

Here, it is not obvious how a value for dnsmasq_dns_server should look like to allow resolution of names relevant to the respective network could work.

We need to discuss:

  • Whether such setups are in scope, and
  • if they are: how to address this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still needs some discussion, has that happened in some meeting I wasn't part of or should we schedule something for that? @markus-hentsch @fkr


A local DNS recursor can be used to cache and serve DNS responses locally. It servers as a proxy between the clients and external DNS servers.
This improves performance and speed of DNS resolution in the infrastructure.
Furthermore, it can be configured to use DNSSEC, DNS over HTTPS and/or DNS over TLS to increase security and privacy of DNS requests it handles for clients.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't mention DNS-over-HTTPS, as it provides no significant benefits over DNS-over-TLS, but needlessly exposes an HTTP parser to the internet.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security aspect has merit but DNS over HTTPS has significant different advantages over DNS over TLS, especially with regards to privacy and simplicity of configuration (e.g. port 443 is almost always no problem to connect to, good luck with DNSoTLS with some network middleboxes.)

Copy link
Member

@horazont horazont Jun 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which privacy advantages does DoH have that DoTLS does not have?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's usage is harder to detect than DoT, this is why every browser implements DoH instead of DoT. This might or might not be a concern for our usecase though (I think it is the latter, but I didn't really analyze this in detail).

Specifically DoT uses Port 853 which makes it very easy to detect and block.

:edit: see e.g. https://dnsprivacy.org/the_solutions/#dns-over-tls-dot for some external references.

The web is full with content around this controversy, e.g. there where some panels regarding this at some FOSDEM dns dev rooms in the past with quite some good arguments for both "sides", see e.g. this blog post which has more links:

https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, none of that matters for a recursor running locally in a datacenter. I'd argue even DoTLS is overkill for that, but that's not a hill I'm willing to die on.

Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved
@markus-hentsch
Copy link
Contributor Author

Based on the latest findings of SovereignCloudStack/issues#229 I made the following changes/additions:

  • only make the dns driver mandatory (not dns_domain_ports); this should be more then sufficient for internal DNS
  • for infrastructures offering DNSaaS (Designate), instead make dns_domain_ports mandatory and subnet_dns_published_fixed_ip recommended

Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Copy link
Contributor Author

I implemented a test script that verifies the existence of the API extensions as mandated by the current standard draft.
The script queries the Neutron Extensions API and relies on the information it provides.

However, due to https://bugs.launchpad.net/neutron/+bug/2063669 the test will succeed in any OVN-based setup since the DNS extensions are always reported as being available even if none of them actually are.

Upstream needs to fix this for the test script to actually report accurate results ...

Copy link
Contributor

@anjastrunk anjastrunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, beside missing two explanations for "OVM" and "OVS".

Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Copy link
Contributor Author

LGTM, beside missing two explanations for "OVM" and "OVS".

Thanks for pointing that out! This is quite important. I've added them to the glossary.

Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved
Co-authored-by: Felix Kronlage-Dammers <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Copy link
Contributor

@artificial-intelligence artificial-intelligence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to review this in more detail later.
I'm only somewhat competent in the DNS RFCs as I happened to run, architect and maintain some dns infrastructure in the past.

DNS is a very complicated topic and I need some more time to read the standard very carefully, thanks.

Standards/scs-01xx-v1-dns.md Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Outdated Show resolved Hide resolved

A local DNS recursor can be used to cache and serve DNS responses locally. It servers as a proxy between the clients and external DNS servers.
This improves performance and speed of DNS resolution in the infrastructure.
Furthermore, it can be configured to use DNSSEC, DNS over HTTPS and/or DNS over TLS to increase security and privacy of DNS requests it handles for clients.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security aspect has merit but DNS over HTTPS has significant different advantages over DNS over TLS, especially with regards to privacy and simplicity of configuration (e.g. port 443 is almost always no problem to connect to, good luck with DNSoTLS with some network middleboxes.)

Copy link
Contributor

@artificial-intelligence artificial-intelligence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imho the standard should mandate RFC compliant DNS Servers that should be made available to the customer, given the fact there are a lot of non compliant dns servers out there.

Standards/scs-01xx-v1-dns.md Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Show resolved Hide resolved
Standards/scs-01xx-v1-dns.md Show resolved Hide resolved
@horazont
Copy link
Member

imho the standard should mandate RFC compliant DNS Servers that should be made available to the customer, given the fact there are a lot of non compliant dns servers out there.

Good idea. Do you have a list of RFCs a good recursor should adhere to? I'm not sure if we need to list the RFCs of all RRs which we expect to be supported or whether that's something any base-RFC-compliant recursor MUST handle correctly anyway (even though history has shown they don't always).

@markus-hentsch
Copy link
Contributor Author

markus-hentsch commented Sep 27, 2024

(this comment was misplaced and moved to the corresponding issue here)

... as a result of the recent Lean Operator Coffee discussion

Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Copy link
Contributor Author

I demoted some of the guidelines in this standard from MUST to SHOULD as a result of the recent CSP discussion (see here).

As a result, the API tests I implemented for the conformance tests are not applicable anymore and I removed them. They wouldn't have worked properly with Neutron's current implementation anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SCS-VP10 Related to tender lot SCS-VP10
Projects
Status: Doing
Development

Successfully merging this pull request may close these issues.

IaaS DR/Standard for tenant VM DNS
6 participants