Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: LookupNS doesn't chase through CNAMEs #44199

Open
vrubiella opened this issue Feb 10, 2021 · 10 comments
Open

net: LookupNS doesn't chase through CNAMEs #44199

vrubiella opened this issue Feb 10, 2021 · 10 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@vrubiella
Copy link

vrubiella commented Feb 10, 2021
edited

What version of Go are you using (go version)?

go1.13 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

macos and alpine container

What did you do?

package main

import (
	"fmt"
	"net"
)

func main() {
	records, err := net.LookupNS("_acme-challenge.xxxxxxx.cat")

	if err != nil {
		fmt.Println(err.Error())
	}else {
		fmt.Println(records[0])
	}
}

I see related issues with cgo/go/cgo+1 resolvers but:

export GODEBUG=netdns=cgo                              
go run main.go                                         
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
export GODEBUG=netdns=go 
run main.go          
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
 export GODEBUG=netdns=cgo+1
go run main.go             
go package net: using cgo DNS resolver
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
dig +short ns _acme-challenge.xxxxx.cat
ghs.googlehosted.com

What did you expect to see?

ghs.googlehosted.com.

What did you see instead?

lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host

it works fine in most cases, but not in some cases(domains) and I don't understand why.

I have the complete code running in an alpine container within a kubernetes cluster, so I rule out that it is a problem with my local dns solver.

Note: Adding net.LookupCNAME when LookupNS return error I can see the expected result. lookupNS not following CNAME? is the expected behavior?
@seankhliao
Copy link
Member

is it consistent in which domains fail and can you give an example of a failing domain?

@seankhliao seankhliao changed the title net.LookupNS no such host but dig command solves well (netdns different solvers tested). net: LookupNS no such host but dig command solves well (netdns different solvers tested) Feb 10, 2021
@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Feb 10, 2021
@vrubiella
Copy link
Author

@seankhliao I send you PM (twitter) with real domain name.

@vrubiella vrubiella reopened this Feb 10, 2021
@vrubiella
Copy link
Author

sorry closed by error.

@seankhliao
Copy link
Member

So _acme-challenge.xxxxx.cat is a CNAME to ghs.googlehosted.com.
Go also assumes the resolver is recursive so it'll return everything it needs at once,
Since only a CNAME is returned, it doesn't find the NS records it is looking for.

@seankhliao seankhliao added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Feb 10, 2021
@seankhliao seankhliao changed the title net: LookupNS no such host but dig command solves well (netdns different solvers tested) net: LookupNS doesn't chase through CNAMEs Feb 10, 2021
@vrubiella
Copy link
Author

@seankhliao temporary I workaround this scenarios checking CNAME when LookupNS return "no such host", but now I have another set of domains on LookupCNAME returns "no such host" too, but dig cname host works properly:

; <<>> DiG 9.10.6 <<>> cname _acme-challenge.xxxxx.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59478
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxxx.eu.	IN	CNAME

;; ANSWER SECTION:
_acme-challenge.xxxxx.eu. 293 IN	CNAME	gv-kbjiszhdypo6wn.dv.googlehosted.com.

;; Query time: 6 msec
;; SERVER: 172.17.1.2#53(172.17.1.2)
;; WHEN: Wed Feb 17 17:33:15 CET 2021
;; MSG SIZE  rcvd: 108

One more time test int with diferent solvers:

➜  test git:(DADS-170457) ✗ GODEBUG=netdns=go go run main.go  
lookup _acme-challenge.xxxx.eu on 172.17.1.2:53: no such host
➜  test git:(DADS-170457) ✗ GODEBUG=netdns=cgo go run main.go 
lookup _acme-challenge.xxxx.eu: no such host

@networkimprov
Copy link

cc @ianlancetaylor

@vrubiella
Copy link
Author

Hi, Add more information: All failing lookupCNAME resolutions are CNAMES related with xxxx.googlehosted.com domains.

@vrubiella
Copy link
Author

vrubiella commented Mar 3, 2021
edited

Hello,
Here a complete test adding manual dns query for retrieving CNAME record succesfully instead of error on net.LookupCNAME:

func main() {

	domain := "_acme-challenge.xxxxxx.com"

	records, err := net.LookupNS(domain)

	if err != nil {
		fmt.Println("LookupNS" + err.Error())
	}else {
		fmt.Println(records[0])
	}

	cname, err := net.LookupCNAME(domain)

	if err != nil {
		fmt.Println("LookupCNAME:"+err.Error())
	}else {
		fmt.Println(cname)
	}


	dnsClient := new(dns.Client)
	dnsQuery := new(dns.Msg)
	dnsQuery.SetQuestion(dns.Fqdn(domain), dns.TypeCNAME)
	dnsQuery.RecursionDesired = true
	dnsQuery.SetEdns0(4096, true)

	r, _, err := dnsClient.Exchange(dnsQuery, net.JoinHostPort("1.1.1.1", "53"))

	if err != nil {
		fmt.Print(err.Error())
	}

	if r.Rcode != dns.RcodeSuccess {
		fmt.Printf("unexpected rcode: %d",r.Rcode)
	}

	var cnames []string

	for _, ain := range r.Answer {
		if a, ok := ain.(*dns.CNAME); ok {
			cnames = append(cnames, a.Target)
		}
	}
	fmt.Println(cnames)
}

output:
LookupNSlookup _acme-challenge.xxxxxx.com on 172.17.1.2:53: no such host
LookupCNAME:lookup _acme-challenge.xxxxxx.com: no such host
[gv-nufxpy2ggx7pw4.dv.googlehosted.com.]


xxxxxx.com has catchall CNAME (*) configured to gv-nufxpy2ggx7pw4.dv.googlehosted.com.

I have some scenarios with catchall CNAME poiting to external providers on net.LookupNAME works successfully.

@seankhliao seankhliao added this to the Unplanned milestone Aug 20, 2022
@jusmarks
Copy link

jusmarks commented Feb 5, 2023

I'm experiencing a similar problem with LookupCNAME (go v1.20). It should return the last CNAME, but sometimes it returns the first CNAME:

for i := 0; i < 20; i++ {
    fmt.Println(net.LookupCNAME("www.microsoft.com"))
}

Output:

www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>

The CNAME section for dig www.microsoft.com shows:

www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
e13678.dscb.akamaiedge.net.

Unlike LookupCNAME, the dig result is always consistent.

@mateusz834
Copy link
Member

@Justin-Marks This race is caused because of #50101, should be fixed by: #59943

@mateusz834 mateusz834 mentioned this issue May 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@networkimprov @vrubiella @jusmarks @seankhliao @mateusz834