add warnings about using DNS resolution (#7788)

* add warnings about using DNS resolution * the gateway perform -> the gateway performs * Apply comments of @frankbu, part 1 Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * remove "the" from "the DNS resolution" Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * remove the from "the DNS resolution", if ... were ... would -> if ... is ... will Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> * remove the from Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
2020-07-26 20:42:55 +03:00 · 2020-07-26 20:42:55 +03:00 · 54113c6864
parent 8e51aad4fa
commit 54113c6864
2 changed files with 24 additions and 2 deletions
--- a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
@ -141,7 +141,19 @@ any other unintentional accesses.

 ### Access an external HTTP service

-1.  Create a `ServiceEntry` to allow access to an external HTTP service:
+1.  Create a `ServiceEntry` to allow access to an external HTTP service.
+
+    {{< warning >}}
+    `DNS` resolution is used in the service entry below as a security measure. Setting the resolution to `NONE`
+    opens a possibility for attack. A malicious client could pretend that it's
+    accessing `httpbin.org` by setting it in the `HOST` header, while really connecting to a different IP
+    (that is not associated with `httpbin.org`). The Istio sidecar proxy will trust the HOST header, and incorrectly allow
+    the traffic, even though it is being delivered to the IP address of a different host. That host can be a malicious
+    site, or a legitimate site, prohibited by the mesh security policies.
+
+    With `DNS` resolution, the sidecar proxy will ignore the original destination IP address and direct the traffic
+    to `httpbin.org`, performing a DNS query to get an IP address of `httpbin.org`.
+    {{< /warning >}}

    {{< text bash >}}
    $ kubectl apply -f - <<EOF
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
@ -71,7 +71,17 @@ and the client requests will fail.

 First create a `ServiceEntry` to allow direct traffic to an external service.

-1.  Define a `ServiceEntry` for `edition.cnn.com`:
+1.  Define a `ServiceEntry` for `edition.cnn.com`.
+
+    {{< warning >}}
+    `DNS` resolution must be used in the service entry below. If the resolution is `NONE`, the gateway will
+    direct the traffic to itself in an infinite loop. This is because the gateway receives a request with the original
+    destination IP address which is equal to the service IP of the gateway (since the request is directed by sidecar
+    proxies to the gateway).
+
+    With `DNS` resolution, the gateway performs a DNS query to get an IP address of the external service and directs
+    the traffic to that IP address.
+    {{< /warning >}}

    {{< text bash >}}
    $ kubectl apply -f - <<EOF