Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

13.2 issue with CNAME queries #1116

Open
dl12345 opened this issue Nov 20, 2024 · 6 comments
Open

13.2 issue with CNAME queries #1116

dl12345 opened this issue Nov 20, 2024 · 6 comments

Comments

@dl12345
Copy link

dl12345 commented Nov 20, 2024

Just upgraded one of my servers to 13.2 and immediately had some funky things happening. There appears to be an issue with resolving CNAME records when using multiple concurrent forwarders.

In particular, with two conditional forwarders defined in the root zone, 1.1.1.1 and p0.freedns.controld.com, both using tls or a combination of tls and quic, a DnsSpecialCacheRecordData with a SERVFAIL gets added to the valid record, resulting in the initial query working and subsequent queries failing as the SERVFAIL is served from cache.

Disabling one of the forwarders makes the problem go away. I tested this out on multiple CNAMEs and the result is the same.

This does not occur on versions prior to 13.2

Both forwarders using tls

[
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "84353 (23 hours 25 mins 53 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "eDnsClientSubnet": "::/0",
    "responseMetadata": {
      "nameServer": "p0.freedns.controld.com (76.76.2.11)",
      "protocol": "Tls",
      "datagramSize": "109 bytes",
      "roundTripTime": "2.46 ms"
    },
    "lastUsedOn": "2024-11-20T02:17:26.0037156Z"
  },
  {
    "name": "download.technitium.com",
    "type": "AAAA",
    "ttl": "2991 (49 mins 51 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; Other: Resolver exception for download.technitium.com. AAAA IN: The operation was canceled."
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-11-20T02:17:29.0777428Z"
  }
]

One forwarder using tls and the other quic

[
  {
    "name": "download.technitium.com",
    "type": "A",
    "ttl": "2997 (49 mins 57 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; Other: Resolver exception for download.technitium.com. A IN: The operation was canceled."
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-11-20T02:46:12.4325745Z"
  },
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "82633 (22 hours 57 mins 13 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "eDnsClientSubnet": "0.0.0.0/0",
    "responseMetadata": {
      "nameServer": "p0.freedns.controld.com (76.76.2.11)",
      "protocol": "Quic",
      "datagramSize": "93 bytes",
      "roundTripTime": "53.04 ms"
    },
    "lastUsedOn": "2024-11-20T02:46:12.4322174Z"
  }
]

[
  {
    "name": "download.technitium.com",
    "type": "A",
    "ttl": "2998 (49 mins 58 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; Other: Resolver exception for download.technitium.com. A IN: The operation was canceled."
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-11-20T02:48:14.0935631Z"
  },
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "86277 (23 hours 57 mins 57 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "responseMetadata": {
      "nameServer": "1.1.1.1",
      "protocol": "Tls",
      "datagramSize": "468 bytes",
      "roundTripTime": "2.25 ms"
    },
    "lastUsedOn": "2024-11-20T02:48:14.0696118Z"
  }

Each of the two forwarders disabled in turn

[
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "86397 (23 hours 59 mins 57 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "responseMetadata": {
      "nameServer": "1.1.1.1",
      "protocol": "Tls",
      "datagramSize": "468 bytes",
      "roundTripTime": "299.89 ms"
    },
    "lastUsedOn": "2024-11-20T02:53:45.4462454Z"
  }
]

[
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "82125 (22 hours 48 mins 45 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "eDnsClientSubnet": "0.0.0.0/0",
    "responseMetadata": {
      "nameServer": "p0.freedns.controld.com (76.76.2.11)",
      "protocol": "Quic",
      "datagramSize": "93 bytes",
      "roundTripTime": "4.09 ms"
    },
    "lastUsedOn": "2024-11-20T02:54:42.7254465Z"
  }
]
@ShreyasZare
Copy link
Member

Thanks for the feedback. I have identified the issue that is causing the failure cache record to get added and will get that fixed in the next update. However, it usually does not matter and the domain should resolve without issues.

But, it seems like you have Advanced Forwarding app installed which uses the EDNS Client Subnet feature in Cache to store data for various network groups defined in the app. Which is why its showing eDnsClientSubnet property for some of the cache entries that you shared.

So are you using the Advanced Forwarding app or are you using a root conditional forwarder zone?

@dl12345
Copy link
Author

dl12345 commented Nov 20, 2024
edited
Loading

So are you using the Advanced Forwarding app or are you using a root conditional forwarder zone?

Definitely not using the advanced forwarding app. In fact, I've never even installed it previously. The 2 apps I use are: DNS rebinding protection and the Query logging app.

I'm using a root conditional forwarding zone.

For me, the domains in question don't actually resolve without issue other than on the first query. Subsequent queries return a SERVFAIL, so on my end at least, it breaks quite a few things, including the Technitium app store.

@ShreyasZare
Copy link
Member

So are you using the Advanced Forwarding app or are you using a root conditional forwarder zone?

Definitely not using the advanced forwarding app. In fact, I've never even installed it previously. The 2 apps I use are: DNS rebinding protection and the Query logging app.

I'm using a root conditional forwarding zone.

For me, the domains in question don't actually resolve without issue other than on the first query. Subsequent queries return a SERVFAIL, so on my end at least, it breaks quite a few things, including the Technitium app store.

Thanks for the details. Do you have EDNS Client Subnet option enabled in Settings? That too can cause this issue with resolution with the current state of the cache.

@dl12345
Copy link
Author

dl12345 commented Nov 20, 2024

Thanks for the details. Do you have EDNS Client Subnet option enabled in Settings? That too can cause this issue with resolution with the current state of the cache.

I don't have it enabled, no.

The best I can do is to repeat the set of tests again, although I'm sure that I had neither the app installed nor the edns client subnet option enabled.

It might take me a day or two to come back on this, since I backed out the version to a prior one, so I'd need to upgrade again to rerun the tests

@dl12345
Copy link
Author

dl12345 commented Nov 20, 2024

Right, so I had 30 minutes to spare so upgraded again and did some more tests.

Confirmed that no forwarding app is installed, that I am using a root conditional forwarding zone and that DNSSEC is switched off everywhere, both on the main settings page and on the definition for each of the FWD records in the conditional forwarding zone.

The eDnsClientSubnet is only returned when querying the controld server and not 1.1.1.1 and appears in the actual response from p0.freedns.controld.com, so it doesn't seem to be technitium adding it

Cache records resulting from both queries:

[
  {
    "name": "download.technitium.com",
    "type": "A",
    "ttl": "2998 (49 mins 58 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; Other: Resolver exception for download.technitium.com. A IN: The operation was canceled."
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-11-20T14:37:00.5327803Z"
  },
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "86398 (23 hours 59 mins 58 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "responseMetadata": {
      "nameServer": "1.1.1.1",
      "protocol": "Tls",
      "datagramSize": "468 bytes",
      "roundTripTime": "259.85 ms"
    },
    "lastUsedOn": "2024-11-20T14:37:00.5322617Z"
  }
]

[
  {
    "name": "download.technitium.com",
    "type": "A",
    "ttl": "2998 (49 mins 58 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; Other: Resolver exception for download.technitium.com. A IN: The operation was canceled."
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2024-11-20T14:37:24.0981771Z"
  },
  {
    "name": "download.technitium.com",
    "type": "CNAME",
    "ttl": "86374 (23 hours 59 mins 34 sec)",
    "rData": {
      "cname": "technitium.com"
    },
    "dnssecStatus": "Disabled",
    "eDnsClientSubnet": "0.0.0.0/0",
    "responseMetadata": {
      "nameServer": "p0.freedns.controld.com (76.76.2.11)",
      "protocol": "Tls",
      "datagramSize": "93 bytes",
      "roundTripTime": "9.47 ms"
    },
    "lastUsedOn": "2024-11-20T14:37:24.097642Z"
  }
]

Using the DNS Client to inspect the responses from both servers over tls yields the following

{
  "Metadata": {
    "NameServer": "p0.freedns.controld.com (76.76.2.11)",
    "Protocol": "Tls",
    "DatagramSize": "93 bytes",
    "RoundTripTime": "6.34 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 4096,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EDNS_CLIENT_SUBNET",
        "Length": "7 bytes",
        "Data": {
          "Family": "IPv4",
          "SourcePrefixLength": 24,
          "ScopePrefixLength": 0,
          "Address": "176.58.88.0"
        }
      }
    ]
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 2,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "download.technitium.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "download.technitium.com",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "86223 (23 hours 57 mins 3 sec)",
      "RDLENGTH": "2 bytes",
      "RDATA": {
        "Domain": "technitium.com"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "technitium.com",
      "Type": "A",
      "Class": "IN",
      "TTL": "14223 (3 hours 57 mins 3 sec)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "206.189.140.177"
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "4096",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "11 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EDNS_CLIENT_SUBNET",
            "Length": "7 bytes",
            "Data": {
              "Family": "IPv4",
              "SourcePrefixLength": 24,
              "ScopePrefixLength": 0,
              "Address": "176.58.88.0"
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

{
  "Metadata": {
    "NameServer": "1.1.1.1",
    "Protocol": "Tls",
    "DatagramSize": "468 bytes",
    "RoundTripTime": "301.76 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "PADDING",
        "Length": "382 bytes",
        "Data": {
          "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
        }
      }
    ]
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 2,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "download.technitium.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "download.technitium.com",
      "Type": "CNAME",
      "Class": "IN",
      "TTL": "86400 (1 day)",
      "RDLENGTH": "2 bytes",
      "RDATA": {
        "Domain": "technitium.com"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "technitium.com",
      "Type": "A",
      "Class": "IN",
      "TTL": "14400 (4 hours)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "206.189.140.177"
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "386 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "PADDING",
            "Length": "382 bytes",
            "Data": {
              "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

@ShreyasZare
Copy link
Member

Thanks for the details. Yes, the controld server is returning EDNS Client Subnet when not asked and its getting cached. Will update the cache code to detect this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dl12345 @ShreyasZare