search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.1k stars 355 forks source link

qname-minimisation causes incomplete response to A query when it follows a CNAME query #619

Closed Kaptnik closed 1 year ago

Kaptnik commented 2 years ago

Describe the bug When qname-minimisation is enabled, if we send a CNAME query for a domain followed by an A query, and if both records sets exist, Unbound only returns the CNAME records for even the A query.

To reproduce Steps to reproduce the behavior:

  1. Start Unbound with qname-minimisation enabled.

  2. Query CNAME record followed by an A record for a domain, drive.aexp.com Assuming Unbound is running locally, and you have the dig command line tool setup:

    • dig @localhost drive.aexp.com CNAME
    • dig @localhost drive.aexp.com A

Expected behavior For the second query, Unbound should return the A record for the domain, but Unbound only returns the CNAME record for both queries

System:

Version 1.13.1

Configure line: --enable-dnstap --with-libevent --prefix=/source/microsoft/binaries
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
kumar0746 commented 2 years ago

Unbound returns response from msg cache. In iterator.c Unbound stores query type from upstream server response of authoritative server. - https://github.com/NLnetLabs/unbound/blob/6b2e96430e925245d3633ce831810e386c9c6ffd/iterator/iterator.c#L2867. Unbound modifies the query from CNAME to A before sending it to upstream and stores the response of CNAME as A response in msg cache.

Suggested FIX – store original query type in msg cache instead of query type from response. Use query type from qchase structure.

JiangHeng12138 commented 2 years ago

How is your unbound.conf configured?

For me, when qname-minimisation set, it is fine to dig CNAME and A

[root@unbound]# dig  ns.safenet.com @9.82.187.162 CNAME

; <<>> DiG 9.16.23 <<>> ns.safenet.com @9.82.187.162 CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21254
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns.safenet.com.                        IN      CNAME

;; ANSWER SECTION:
ns.safenet.com.         287     IN      CNAME   www.safenet.com.

;; Query time: 0 msec
;; SERVER: 9.82.187.162#53(9.82.187.162)
;; WHEN: Tue Mar 22 17:13:36 CST 2022
;; MSG SIZE  rcvd: 61

[root@unbound]# dig  ns.safenet.com @9.82.187.162 A

; <<>> DiG 9.16.23 <<>> ns.safenet.com @9.82.187.162 A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32391
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns.safenet.com.                        IN      A

;; ANSWER SECTION:
ns.safenet.com.         281     IN      CNAME   www.safenet.com.
www.safenet.com.        288     IN      A       10.10.10.12

;; Query time: 0 msec
;; SERVER: 9.82.187.162#53(9.82.187.162)
;; WHEN: Tue Mar 22 17:13:42 CST 2022
;; MSG SIZE  rcvd: 77
gthess commented 2 years ago

This seems like a duplicate of #412. Could you verify that the issue is resolved with 1.15.0?

gthess commented 1 year ago

Closing as inactive; the duplicate issue is already resolved.