dnss appears to be using the system resolver instead of the fallback flags. about dnss HOT 8 CLOSED

It seems that using a fallback_upstream on localhost is irrelevant. After changing to --fallback_upstream=8.8.8.8:53, I still had the same issue. However, changing systemd-resolved to point (indirectly) at unbound instead of dnss (thereby breaking the loop if dnss was trying to use getaddrinfo()) seems to have fixed the problem. So I think dnss is completely ignoring the fallback configuration, maybe?

from dnss.

Since systemd-resolved had errors for . and google, I just tried running dnss with --fallback_domains=. google. dns.google., and the error went away. Is fallback_domains based on exact matches, or does it include subdomains? If it includes subdomains, then I just sent everything to the fallback_upstream which is pointless. But if it doesn't include subdomains, that might indicate that the problem is in interaction between the system resolver and dnss.

from dnss.

Thank you for the detailed bug report!

It's not immediately clear to me what's going on, since dnss has no special casing for systemd-resolved, fallback_upstream is used verbatim to resolve the domains in fallback_domains (but no subdomains, just exact matches).

I will take a closer look at this this week, and try to reproduce it.

In the meantime, if you can, you can use -monitoring_listen_addr to start a monitoring http server, and navigate to it. There you should be able to see the traces of the requests, including fallback requests, and those might give us a better clue of what's going on. Running dnss with -v=3 will log more detailed information (to the logs and the monitoring traces).

Thanks again!

from dnss.

Here's the table from http://localhost:9981/debug/requests?fam=dnsserver&b=0&exp=1 taken right after a SERVFAIL response. Sorry for the formatting, I couldn't think of an easy way to get that to render right on GitHub.

I also tried adding DNSSEC=no to /etc/systemd/resolved.conf and that fixed the issue. So I think what's happening is that dnss is using the system resolver for dns.google.. systemd-resolved then queries dnss for dns.google. A and AAAA which succeeds, but it also queries dnss for DNSSEC-related records on google. and . which fails because those aren't in fallback_domains and dnss can't POST to https://dns.google/dns-query because it's still waiting for a response from systemd-resolved.

So if I'm understanding this correctly, I think that means there are 4 options:

1. I could set --fallback_domains='. google. dns.google.' so that systemd-resolved can successfully do DNSSEC verification before dnss is able to POST to https://dns.google/dns-query.
2. I could configure systemd-resolved with DNSSEC=no so that it only looks up A and AAAA on dns.google. without trying to query for google. or ..
3. dnss could bypass the system resolver and talk to fallback_upstream directly.
4. dnss could add a feature to specify the address to connect to for https_upstream separately from the hostname used for TLS SNI and the HTTP Host header. Maybe something like -https_upstream=https://dns.google/dns-query -https_upstream_address=8.8.8.8,8.8.4.4. Then the fallback flags wouldn't be necessary.

Do you think either (3) or (4) are desirable? Any idea how easy they would be? I don't really know any go, but I could potentially give it a shot if you want.

from dnss.

I think you're right. I spent a bit looking at the code and can confirm that dnss is using the system's default resolver to find upstream. Normally that request is either directed to dnss, and the fallback mechanism gets engaged, or it's a normal DNS lookup that returns a usable value; but in this case due to the systemd-resolved and dnssec interactions the loop isn't working properly. I don't know why it occasionally works, but I suspect that's due to some systemd-resolved behaviour, and it doesn't change the nature of the problem anyway.

As for the options, (3) is probably cleaner, reasonably safe to change, and should work in a wide range of circumstances. It's also the least surprising, I think. It's not straightforward to do cleanly due to how the code is structured, but it's doable.

For (4) I think it's also doable but much more brittle and prone to accidental issues on a sensitive area, so I rather avoid it. Note that on domains with certificates with IP fields, dnss works just fine. That's how for example https://1.1.1.1/dns-query can be used with dnss, because there is a valid certificate for it.

Until I have a change ready to try (which will take me a couple of days) as a workaround (1) should work just fine, and you won't lose dnssec resolution for most domains.

I'll let you know once there's a patch to try :)

Thanks a lot again for such detailed bug report and all the help in figuring out what's going on!

from dnss.

If you want, you can give commit 7d3ca40 a try, which is on the next branch.

It's a work in progress so it will be amended, but I did some ad-hoc tests and it seems to work fine, and in a way that should solve your issue since systemd-resolved should be totally bypassed now.

I will polish and extend it in the next few days, and will let you know once there's a more tested version; but just in case you want to give it a try early.

Thanks!

from dnss.

I don't know why it occasionally works, but I suspect that's due to some systemd-resolved behaviour, and it doesn't change the nature of the problem anyway.

Oh sorry, I think I figured that out already but didn't say anything because it didn't seem too relevant. While debugging initially, I kept changing settings and restarting dnss but not restarting systemd-resolved. I think systemd-resolved has its own cache, so if I got things working, it could cache dns.google. and then when I changed dnss's settings back to something that normally didn't work, it would sometimes work because of systemd-resolved's cache. Once I started running the below command between every change, everything was deterministic. (And yes, I'm aware that 4 separate DNS servers on one machine is a lot :) )

systemctl daemon-reload && service systemd-resolved restart && service dnsmasq restart && service unbound restart && service dnss restart

If you want, you can give commit 7d3ca40 a try, which is on the next branch.

That worked, thanks!

Thanks a lot again for such detailed bug report and all the help in figuring out what's going on!

Thanks for fixing it!

from dnss.

The fix for this issue is now in the master branch, thanks again!

from dnss.