#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!

#StackBounty: #networking #dns #docker #firewalld Docker container can't make DNS queries with FirewallD running

Bounty: 50

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I’ve torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I’m really not sure what’s going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


Get this bounty!!!