DNS Reject Rule Crashes Router
UDP - LAN - net - * - !Router - 53(DNS) - WAN - none - DNS Reject
If this rule is setup on the LAN interface to reject DNS traffic NOT going to the router's DNS forwarder and a request is sent through the router to another DNS server this happens:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xc
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0970497
stack pointer = 0x28:0xe2ca2498
frame pointer = 0x28:0xe2ca24c4
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 11 (irq10: vr0)
trap number = 12
panic: page fault
cpuid = 0
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort
All that is needed to crash the router is running "nslookup google.com. 188.8.131.52" from windows and the box will reboot. The solution is to change the gateway for this rule back to default and the problem does not occur.
Ticket #1552. Do not allow route-to to be set on block/reject rules for now. The issue is in the kernel but for 2.0 this protection is enough.
#3 Updated by Evgeny Yurchenko about 8 years ago
I have slightly different results.
1. Setup as in the bug description - blocking rule just does not work, DNS request goes through firewall and reply is passed back to requestor.
2. The rule is blocking DNS traffic as expected when I return gateway in this rule to default.