This repository has been archived by the owner on Jun 20, 2024. It is now read-only.
http handler listens on all interfaces, which is bad #899
Comments
And becomes a non-issue once we move to gossip...#826 |
|
Good point re gossip. The http handler will stay - so this issue is still relevant then - whereas all the mDNS machinery will go. |
Is it safe to assume the relevant interface is named eth0? |
Safe enough. Though we may want to add an option to override that. |
rade
added a commit
that referenced
this issue
Jun 12, 2015
DNS HTTP API listens on eth0 only Fixes #899.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The DNS server's http handler is listening on all interfaces. In particular that means it is listening on the ethwe interface. That is bad since it makes sharing a subnet between the DNS servers and app containers more dangerous than it should be - apps could modify DNS entries.
The http handler should listen on eth0 / the docker-assigned IP only, at least by default.
Then, at least when full app isolation has been configured (see the bottom of the isolation section in our docs), the weaveDNS http interface is inaccessible to apps.
Even then apps on the same subnet as weaveDNS can modify it - by setting up an mdns responder that participates in the weaveDNS chatter. But that is more involved. And not easily preventable.
The text was updated successfully, but these errors were encountered: