Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-2413

Spartan blindly forwards DNS requests to upstream servers

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Medium
    • Resolution: Won't Do
    • Affects Version/s: DC/OS 1.11.1
    • Fix Version/s: None
    • Component/s: dcos-net, spartan
    • Labels:

      Description

      I deployed a toy OSS DC/OS 1.11.1 cluster over the weekend on 3 VPS machines that I had available (each one being public to the internet). And after a few hours I got an alert from my provider that my master node was participating in a DDoS reflection attack using DNS amplification.

      Digging in, I found out that indeed dcos-net is blindly forwarding DNS requests to the upstream DNS servers. I am assuming that's the spartan service?  

      Regardless of the cluster configuration (ex. airtight or exposed), I think that sparan should validate that the DNS request comes from within the cluster, before forwards it to the upstream DNS servers.

        Attachments

          Activity

            People

            • Assignee:
              sergeyurbanovich Sergey Urbanovich
              Reporter:
              icharalampidis Ioannis Charalampidis
              Team:
              Networking Team
              Watchers:
              Deepak Goel, Ioannis Charalampidis, Sergey Urbanovich
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: