firezone icon indicating copy to clipboard operation
firezone copied to clipboard
verified publisher icon firezone

DNS Resource mappings break if query happens while portal is redeploying

Open jamilbk opened this issue 1 year ago • 2 comments

@conectado and I found a peculiar bug:

  • DNS Resource of *.google.com
  • Client queries account.google.com, triggering connection to Gateway
  • Deploy is started
  • Client requests meet.google.com while it's connected to the Gateway (and portal) but the Gateway is not connected to the portal at that point in time
  • meet.google.com now gets mapped to a dummy IP, but the Gateway the client is connected to never receives the reuse_connection message
  • Further DNS queries and packets to the mapped IP in the Client never re-trigger the request_connection message
  • Can only be fixed with a client sign out and sign in

This is also an issue for CIDR Resources

jamilbk avatar Sep 26 '24 00:09 jamilbk

cc @thomaseizinger @AndrewDryga

jamilbk avatar Sep 26 '24 00:09 jamilbk

Note to @AndrewDryga @bmanifold this means deploys can/will break access to the second and thereafter Resources on the same Gateway for any currently signed-in Clients if the resources are attempted while the deploy is happening.

This will be fixed by https://github.com/firezone/firezone/issues/6461, just noting this here to be very careful with deploys until that is implemented.

jamilbk avatar Sep 26 '24 00:09 jamilbk