Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hostresolver: Treat AAAA queries as A queries when IPv6 is disabled #738

Merged
merged 1 commit into from
Mar 16, 2022
Merged

Hostresolver: Treat AAAA queries as A queries when IPv6 is disabled #738

merged 1 commit into from
Mar 16, 2022

Conversation

jandubois
Copy link
Member

A "correct" answer would be to set handled = true and return a NODATA response.

Unfortunately some older resolvers use a slow random source to set the transaction id.

This creates a problem on M1 computers, which are too fast for that implementation:

Both the A and AAAA queries might end up with the same id. Returning NODATA for AAAA is faster, so would arrive first, and be treated as the response to the A query.

To avoid this, we will treat an AAAA query as an A query when IPv6 has been disabled.

This way it is either a valid response for an A query, or the A records will be discarded by a genuine AAAA query, resulting in the desired NODATA response.

Packet capture with the old implementation:

    1   0.000000 192.168.5.15 → 192.168.5.2  DNS 81 Standard query 0x0edd A mirrorlist.centos.org
    2   0.000020 192.168.5.15 → 192.168.5.2  DNS 81 Standard query 0x0edd AAAA mirrorlist.centos.org
    3   0.000288  192.168.5.2 → 192.168.5.15 DNS 81 Standard query response 0x0edd AAAA mirrorlist.centos.org
    4   0.003276  192.168.5.2 → 192.168.5.15 DNS 303 Standard query response 0x0edd A mirrorlist.centos.org A 67.219.148.138 A 18.225.36.18 A 35.180.43.213 A 85.236.43.108 A 147.75.69.225 A 147.75.83.237

You can see both queries use the same transaction id 0x0edd, so the NODATA response in frame 3 is treated as the answer to the query in frame 1. Getting a second answer in frame 4 with different content is then considered an error:

curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"

With the changes in the PR the packet capture looks like this:

    1   0.000000 192.168.5.15 → 192.168.5.2  DNS 81 Standard query 0x8064 A mirrorlist.centos.org
    2   0.000011 192.168.5.15 → 192.168.5.2  DNS 81 Standard query 0x8064 AAAA mirrorlist.centos.org
    3   0.172135  192.168.5.2 → 192.168.5.15 DNS 303 Standard query response 0x8064 A mirrorlist.centos.org A 147.75.83.237 A 18.225.36.18 A 35.180.43.213 A 67.219.148.138 A 85.236.43.108 A 147.75.69.225
    4   0.172158  192.168.5.2 → 192.168.5.15 DNS 303 Standard query response 0x8064 AAAA mirrorlist.centos.org A 147.75.83.237 A 18.225.36.18 A 35.180.43.213 A 67.219.148.138 A 85.236.43.108 A 147.75.69.225

So the A and AAAA queries still use the same transaction id, but since both responses contain the same requested data, the query succeeds and no error is reported.

Fixes rancher-sandbox/rancher-desktop#1788 (and probably a couple of other DNS issues on M1 machines)

Shoutout to fellow packet log connoisseurs @chancez, @jsoref, and @Nino-K for their help and the 570 message discussion on Slack! 😄

@jandubois
Treat AAAA queries as A queries when IPv6 is disabled
c2f8bf9 
A "correct" answer would be to set `handled = true` and return a NODATA response.
Unfortunately some older resolvers use a slow random source to set the transaction id.
This creates a problem on M1 computers, which are too fast for that implementation:
Both the A and AAAA queries might end up with the same id. Returning NODATA for AAAA
is faster, so would arrive first, and be treated as the response to the A query.
To avoid this, we will treat an AAAA query as an A query when IPv6 has been disabled.
This way it is either a valid response for an A query, or the A records will be discarded
by a genuine AAAA query, resulting in the desired NODATA response.

Signed-off-by: Jan Dubois <[email protected]>
@jandubois jandubois added this to the V0.10.0 milestone Mar 16, 2022
@jandubois jandubois added the bug Something isn't working label Mar 16, 2022
@jandubois jandubois requested a review from AkihiroSuda March 16, 2022 01:59
AkihiroSuda
AkihiroSuda approved these changes Mar 16, 2022
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 250e6b9 into lima-vm:master Mar 16, 2022
@jandubois jandubois deleted the dns-fix branch March 16, 2022 02:47
This was referenced Mar 18, 2022
Open
Closed
@carlosonunez
Copy link

carlosonunez commented Mar 31, 2022
edited
Loading

Alright, I've built the latest version of lima and am putting it through the paces. I'll let you know how it fares in a few days when I have more data!

Thank you so much for looking into this.

@jsoref

This comment was marked as resolved.

Sign in to view
@carlosonunez
Copy link

carlosonunez commented Mar 31, 2022
edited
Loading

sorry; posted into the wrong thread. i've deleted this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.9.2
Development

Successfully merging this pull request may close these issues.

DNS resolution failures in centos:7 arm64 container on m1 Mac
4 participants
@jandubois @carlosonunez @jsoref @AkihiroSuda