libnet: Don't forward to upstream resolvers on internal nw by akerouanton · Pull Request #46609 · moby/moby

akerouanton · 2023-10-10T08:19:16Z

Stacked on top of libnet/d/bridge: Don't set container's gateway when network is internal #46603
Related to CI failures seen on integration: Add a new networking integration test suite #46531

- What I did

First commit adds a way to enable/disable upstream forwarding to the embedded resolver. When an endpoint joins/leaves a sandbox, this forwarding policy is modified based on whether there's an endpoint providing external connectivity.

Second commit ensures the resolver return a REFUSED response with the RA bit (ie. Recursion Available) unset when upstream forwarding is disabled and no matching container/alias can be found.

- Description for the changelog

The embedded DNS resolver now returns a REFUSED response when upstream forwarding is disabled (ie. on internal networks, or on Windows) and no container/alias match the queried name.

- A picture of a cute animal (not mandatory but encouraged)

libnetwork/resolver_test.go

ArchanaWind · 2025-07-14T10:34:34Z

HI,
CVE-2024-29018 is created for this issue, is moby_20.10.x is vulnerable to this bug

Thanks in advance

akerouanton added status/2-code-review kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking impact/changelog area/networking/dns Networking labels Oct 10, 2023

akerouanton changed the title ~~Libnet resolver nxdomain~~ libnet: Don't forward to upstream resolvers on internal nw Oct 10, 2023

akerouanton force-pushed the libnet-resolver-nxdomain branch 2 times, most recently from 48182ae to 04328c5 Compare October 10, 2023 08:40

akerouanton commented Oct 10, 2023

View reviewed changes

libnetwork/resolver_test.go Show resolved Hide resolved

akerouanton mentioned this pull request Oct 10, 2023

libnet/d/bridge: Don't set container's gateway when network is internal #46603

Merged

akerouanton force-pushed the libnet-resolver-nxdomain branch 2 times, most recently from 1aac557 to 06a8690 Compare October 12, 2023 12:23

akerouanton force-pushed the libnet-resolver-nxdomain branch 14 times, most recently from 73b3c9f to 977cf2d Compare October 19, 2023 17:21

akerouanton self-assigned this Oct 25, 2023

akerouanton force-pushed the libnet-resolver-nxdomain branch 3 times, most recently from 85ab3d4 to eeaac96 Compare December 18, 2023 23:16

github-actions bot mentioned this pull request Mar 2, 2025

chore(deps): update dependency kubeshark/kubeshark to v52.5.0 uniget-org/tools#10633

Merged

1 task

This was referenced Mar 20, 2025

chore(deps): update dependency rancher/rke to v1.7.4 uniget-org/tools#11029

Merged

chore(deps): update dependency rancher/rke to v1.8.0 uniget-org/tools#11034

Merged

chore(deps): update dependency kubeshark/kubeshark to v52.6.0 uniget-org/tools#11137

Merged

github-actions bot mentioned this pull request Mar 28, 2025

chore(deps): update dependency rancher/rke to v1.8.1 uniget-org/tools#11208

Merged

1 task

This was referenced Apr 25, 2025

chore(deps): update dependency ktock/buildg to v0.5.2 uniget-org/tools#11849

Merged

chore(deps): update dependency marcosnils/bin to v0.21.1 uniget-org/tools#11866

Merged

This was referenced May 15, 2025

chore(deps): update dependency rancher/rke to v1.8.3 uniget-org/tools#12264

Merged

chore(deps): update dependency marcosnils/bin to v0.21.2 uniget-org/tools#12344

Merged

github-actions bot mentioned this pull request Jun 1, 2025

chore(deps): update dependency kubeshark/kubeshark to v72 uniget-org/tools#12660

Merged

1 task

github-actions bot mentioned this pull request Jun 18, 2025

chore(deps): update dependency rancher/rke to v1.8.4 uniget-org/tools#13025

Merged

1 task

github-actions bot mentioned this pull request Jul 8, 2025

Updated labels for activity uniget-org/tools#13453

Merged

github-actions bot mentioned this pull request Jul 21, 2025

chore(deps): update dependency marcosnils/bin to v0.22.0 uniget-org/tools#13761

Merged

1 task

github-actions bot mentioned this pull request Jul 29, 2025

chore(deps): update dependency rancher/rke to v1.8.5 uniget-org/tools#13958

Merged

1 task

github-actions bot mentioned this pull request Aug 22, 2025

chore(deps): update dependency rancher/rke to v1.8.6 uniget-org/tools#14495

Merged

1 task

github-actions bot mentioned this pull request Sep 19, 2025

chore(deps): update dependency rancher/rke to v1.8.7 uniget-org/tools#15129

Merged

1 task

github-actions bot mentioned this pull request Oct 22, 2025

chore(deps): update dependency rancher/rke to v1.8.8 uniget-org/tools#15912

Merged

1 task

This was referenced Dec 12, 2025

Updated metadata uniget-org/tools#17258

Merged

chore(deps): update dependency rancher/rke to v1.8.9 uniget-org/tools#17337

Merged

github-actions bot mentioned this pull request Jan 22, 2026

chore(deps): update dependency rancher/rke to v1.8.10 uniget-org/tools#18214

Merged

1 task

nh250146 mentioned this pull request Feb 13, 2026

Multiple CVEs found in latest release aenix-io/dnsmasq-controller#9

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

libnet: Don't forward to upstream resolvers on internal nw#46609

libnet: Don't forward to upstream resolvers on internal nw#46609
akerouanton wants to merge 3 commits intomoby:masterfrom
akerouanton:libnet-resolver-nxdomain

akerouanton commented Oct 10, 2023 •

edited

Loading

Uh oh!

Uh oh!

ArchanaWind commented Jul 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

akerouanton commented Oct 10, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

ArchanaWind commented Jul 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

akerouanton commented Oct 10, 2023 •

edited

Loading