Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: EDNS(0) records may cause dns dropped by some gateway #65197

Closed
ArisAachen opened this issue Jan 22, 2024 · 3 comments
Closed

net: EDNS(0) records may cause dns dropped by some gateway #65197

ArisAachen opened this issue Jan 22, 2024 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@ArisAachen
Copy link

ArisAachen commented Jan 22, 2024
edited

Go version

go1.21.6

Output of go env in your module/workspace:

go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/aris/.cache/go-build'
GOENV='/home/aris/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/aris/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/aris/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.6'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2887989632=/tmp/go-build -gno-record-gcc-switches'

What did you do?

package main

import (
	"log"
	"net"
	"os/exec"
	"time"
)

func main() {
	for {
		// clear dns
		cmd := exec.Command("/bin/sh", "-c", "/etc/init.d/dnsmasq restart")
		buf, err := cmd.CombinedOutput()
		if err != nil {
			log.Fatalln("clear dns failed, err: ", string(buf))
		}
		addrSl, err := net.LookupHost("www.baidu.com")
		if err != nil {
			log.Fatalln("LookupHost failed, err: ", err)
		}
		log.Println("LookupHost successfully, addr: ", addrSl)
		time.Sleep(3 * time.Second)
	}
}

What did you see happen?

read udp 168.1.100:34737 →192. 168.1.1:53: i/o timeout

but when i use nslookup, It works fine

/ # nslookup www.baidu.com
Server:
192.168.0.1
Address:
192.168.0.1:53
Non-authoritative answer:
Name:
baidu.com
Address: 110.242.68.66
Name:
baidu.com
Address: 39.156.66.10
Non-authoritative answer:

When I use tcpdump to caputure the dns flow,
use go query dns request

11:18:45.149677 IP (tos 0x0, ttl 64, id 43114, offset 0, flags [none], proto UDP (17), length 70)
    10.1.3.12.47571 > pdns.dnspod.cn.53: [bad udp cksum 0xa18a -> 0xca03!] 6460+ [1au] A? www.baidu.com. ar: . OPT UDPsize=1232 (42)

use nslookup to query

11:20:57.941432 IP (tos 0x0, ttl 64, id 53544, offset 0, flags [none], proto UDP (17), length 71)
    10.1.3.12.39956 > pdns.dnspod.cn.53: [bad udp cksum 0xa18b -> 0x9262!] 53164+ PTR? 29.29.29.119.in-addr.arpa. (43)

Then different is shown, golang use default udp size as default

Frame 21: 84 bytes on wire (672 bits), 84 bytes captured (672 bits)
Ethernet II, Src: ZhejiangEver_2f:c3:34 (c0:4a:09:2f:c3:34), Dst: HuaweiTechno_ab:9a:01 (58:ae:a8:ab:9a:01)
Internet Protocol Version 4, Src: 10.1.3.12, Dst: 223.5.5.5
User Datagram Protocol, Src Port: 60929, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x3d7f
    Flags: 0x0100 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        www.baidu.com: type A, class IN
            Name: www.baidu.com
            [Name Length: 13]
            [Label Count: 3]
            Type: A (1) (Host Address)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41) 
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
    [Response In: 25]

Then I find some doc in Microsoft Website
link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-name-queries-not-success

More information
Some firewalls contain features to check certain parameters of the DNS packet. These firewall features may make sure that the DNS response is smaller than 512 bytes. If you capture the network traffic for an unsuccessful DNS lookup, you may notice that DNS requests EDNS0. Frames that resemble the following don't receive a reply:

Additional records
<Root>: type OPT, class unknown
Name: <Root>
Type: EDNS0 option
UDP payload size: 1280

In this scenario, the firewall may drop all EDNS0-extended UDP frames.

What did you expect to see?

dns response successfully
@ArisAachen
Copy link
Author

ArisAachen commented Jan 22, 2024
edited

Im not sure if it is right
Maybe one choice is offering some options to change this default behavior
or?

Here is the code

func newRequest(q dnsmessage.Question, ad bool) (id uint16, udpReq, tcpReq []byte, err error) {
	var rh dnsmessage.ResourceHeader
	if err := rh.SetEDNS0(maxDNSPacketSize, dnsmessage.RCodeSuccess, false); err != nil {
		return 0, nil, nil, err
	}
	if err := b.OPTResource(rh, dnsmessage.OPTResource{}); err != nil {
		return 0, nil, nil, err
	}
}

@mateusz834 mateusz834 changed the title additional reords may cause dns dropped by some gateway net: EDNS(0) records may cause dns dropped by some gateway Jan 22, 2024
@mateusz834 mateusz834 added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 22, 2024
@mateusz834
Copy link
Member

mateusz834 commented Jan 22, 2024
edited

How the cgo resolver behaves? Please run that example with GODEBUG=netdns=cgo or compile with -tags netcgo.

We use EDNS(0) by default and ignore edns0 option in resolv.conf See: #13279 (comment)

Let us know, we can make EDNS(0) opt-in the same way as cgo (glibc) resolver currently does.

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jan 22, 2024
@gopherbot
Copy link

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gopherbot @seankhliao @mateusz834 @ArisAachen