IPv4 UDP DNS request are not handled

sergeysedoy97 commented 1 year ago

Prerequisites

[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Docker

Setup

On one machine

AdGuard Home version

0.108.0-b.17

Description

What did you do?

Slice of AdGuardHome.yaml:

dns:
  bind_hosts:
    - '::'

Let's check sysctl property:

root@msk:~# cat /proc/sys/net/ipv6/bindv6only
0

Let's check port binding:

root@msk:~# ss -lnu | grep 53
UNCONN 0      0                  *:53               *:*

Let's check docker info:

root@msk:~# docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
  compose: Docker Compose (Docker Inc., v2.10.2)

Server:
 Containers: 11
  Running: 11
  Paused: 0
  Stopped: 0
 Images: 11
 Server Version: 20.10.18
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.0-48-generic
 Operating System: Ubuntu 22.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 969.5MiB
 Name: msk.sergeysedoy97.ru
 ID: URT5:BBYW:O4XV:BBRH:2BMH:CM7Q:FGIO:4LPH:VMYH:CTC2:FJNN:7VVF
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

I use host network for container.

Let's try to make UDP DNS request using IPv4 from same machine

root@msk:~# dig example.com @178.20.45.32

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> example.com @178.20.45.32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65178
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            41139   IN      A       93.184.216.34

;; Query time: 4 msec
;; SERVER: 178.20.45.32#53(178.20.45.32) (UDP)
;; WHEN: Tue Oct 04 06:23:14 UTC 2022
;; MSG SIZE  rcvd: 56

Let's try to make UDP DNS request using IPv4 from diferent machine

❯ doggo example.com "@udp://178.20.45.32"
time="2022-10-04T09:23:38+03:00" level=error msg="error looking up DNS records" error="read udp 192.168.0.18:60201->178.20.45.32:53: i/o timeout"
NAME    TYPE    CLASS   TTL     ADDRESS NAMESERVER

Let's try to make UDP DNS request using IPv6 from diferent machine

❯ doggo example.com "@udp://[2a0d:8480:2:54::]"
NAME            TYPE    CLASS   TTL     ADDRESS         NAMESERVER
example.com.    A       IN      41007s  93.184.216.34   [2a0d:8480:2:54::]:53

Let's try to make TCP DNS request using IPv4 from diferent machine

❯ doggo example.com "@tcp://178.20.45.32"
NAME            TYPE    CLASS   TTL     ADDRESS         NAMESERVER
example.com.    A       IN      40881s  93.184.216.34   178.20.45.32:53

Did you use the same interface to send DNS answer?

I think the problem is more related to https://github.com/AdguardTeam/dnsproxy, but anyway it's AGH product bug.

ssrahul96 commented 1 year ago

try iptables -F then do a dig. had some similar issues with http on ipv4 https://github.com/AdguardTeam/AdGuardHome/issues/4922

sergeysedoy97 commented 1 year ago

@ssrahul96 thank you, but there is no any problem in iptables. IMO problem in random UDP interface, thats why it's work on same machine only.

ainar-g commented 1 year ago

Hello and thanks for the thorough report. Some clarifications:

If you use AdGuard Home outside of the Docker container, does that fix the issue?
Are you sure that nothing else is binding to port 53? ss -l -n -u has shown that something does, but is that AdGuard Home? What does [sudo] lsof -i :53 show?
Are there any clues in the logs? And if you configure AdGuard Home to collect verbose logs by setting verbose to true?
If you explicitly enumerate the IP addresses on which AGH should listen, does that fix the issue?

Thanks.

sergeysedoy97 commented 1 year ago

@ainar-g

Shouldn't but I'll try.

I'm sure.


root@msk:~# ss -lnup | grep 53
UNCONN 0      0                  *:53               *:*    users:(("adguardhome",pid=147593,fd=14))

root@msk:~# lsof -i :53 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME adguardho 147593 root 14u IPv6 759588 0t0 UDP :domain adguardho 147593 root 15u IPv6 759589 0t0 TCP :domain (LISTEN)

3. It's verbose now, no any logs of incoming request via IPv4 UDP.
4. No.

root@msk:~# ss -lnu | grep 53 UNCONN 0 0 178.20.45.32:53 0.0.0.0: UNCONN 0 0 [2a0d:8480:2:54::]:53 [::]:

❯ doggo example.com "@udp://[2a0d:8480:2:54::]" NAME TYPE CLASS TTL ADDRESS NAMESERVER example.com. A IN 86400s 93.184.216.34 [2a0d:8480:2:54::]:53

❯ doggo example.com "@udp://178.20.45.32" time="2022-10-06T15:42:48+03:00" level=error msg="error looking up DNS records" error="read udp 192.168.0.18:57180->178.20.45.32:53: i/o timeout" NAME TYPE CLASS TTL ADDRESS NAMESERVER

ainar-g commented 1 year ago

I honestly have no idea then. If AdGuard Home is shown listening on UDP, and it works from the same machine, then my thought would be that some kind of a firewall or a network filter is doing this.

sergeysedoy97 commented 1 year ago

Resolved issue, my VPS provider blocked incoming UDP 53.

AdguardTeam / AdGuardHome