https://rancher.com/ logo
Title
p

prehistoric-advantage-39331

04/26/2023, 1:40 PM
I'm evaluating NeuVector for use in our environment, and I've run into an issue I hope someone can give me a pointer on. On my test cluster, one of the applications I am running is external-dns, using DDNS for updates. This results in a zone transfer every minute, which is triggering a security event for each one. I'd like to configure NeuVector to ignore zone transfers between my external-dns container and the specific IP it is permitted to talk to, but can't seem to find the appropriate settings.
q

quaint-candle-18606

04/26/2023, 1:41 PM
hmmm. 🤔 is it possible to create a custom group that represents these? What kind of security event is it?
p

prehistoric-advantage-39331

04/26/2023, 1:43 PM
DNS.Zone.Transfer. It looks like it created network rules already to permit the DNS protocol from the container to the 'external' group, but that hasn't stopped the events for the zone transfers.
q

quaint-candle-18606

04/26/2023, 1:44 PM
Would you mind screen-cap’ing that event? 🙂
p

prehistoric-advantage-39331

04/26/2023, 1:45 PM
Sure:
q

quaint-candle-18606

04/26/2023, 1:47 PM
oh yes, that’s right… this is one of the built-in attack alerts.
this may sound annoying/weird, but you may need to make a Response Rule to squelch that in your instance
image.png
p

prehistoric-advantage-39331

04/26/2023, 1:48 PM
OK. I can do that - thanks!
q

quaint-candle-18606

04/26/2023, 1:48 PM
maybe confine it to the group or groups affected. 🙂
p

prehistoric-advantage-39331

04/26/2023, 1:49 PM
Yeah, I'll narrow it down to the specific application and external address - there shouldn't be anything else that does this.
q

quaint-candle-18606

04/26/2023, 1:50 PM
Yeah. NV has a few things that it’s all “_This is A Very Bad Thing™ and you can’t change my mind about it”_. 😄
💯 1