search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.72k stars 913 forks source link

pdns-server mixes answers to non-RA clients with answers to RA clients #1384

Closed nickandrew closed 10 years ago

nickandrew commented 10 years ago

In my test bed setup, pdns-server is listening on ipv6 [::]:53 and pdns-recursor on 127.0.0.1:54

allow-recursion = 127.0.0.1 recursor=127.0.0.1:54

Queries from ipv6 ::1 therefore do not permit recursion

If I query a non-local domain from ::1, such as "dig @::1 www.cnn.com A" then I receive an expected failure:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @::1 www.cnn.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27639
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.cnn.com.                   IN      A

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Apr 27 15:39:10 EST 2014
;; MSG SIZE  rcvd: 29

If I immediately re-query the same domain from 127.0.0.1 (for which recursion is authorised), I get the same error as above:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @127.0.0.1 www.cnn.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28121
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.cnn.com.                   IN      A

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 27 15:39:43 EST 2014
;; MSG SIZE  rcvd: 29

If I wait a bit and re-do the query from 127.0.0.1 then it works as expected:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @127.0.0.1 www.cnn.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32317
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cnn.com.                   IN      A

;; ANSWER SECTION:
www.cnn.com.            1040    IN      CNAME   www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net.   120     IN      CNAME   cnn-cop.gslb.vgtf.net.
cnn-cop.gslb.vgtf.net.  300     IN      A       157.166.239.177
cnn-cop.gslb.vgtf.net.  300     IN      A       157.166.238.48
cnn-cop.gslb.vgtf.net.  300     IN      A       157.166.238.17

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 27 15:40:24 EST 2014
;; MSG SIZE  rcvd: 138

Also, a subsequent query from ::1 still results in a failure.

The behavior I expect is that a query from ::1 always results in a failure (yes it does) and a query from 127.0.0.1 always results in a lookup to pdns-recursor (no it does not).

The query output from pdns monitor shows what's going on:

Apr 27 15:42:48 Remote ::1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache MISS
[pdns-server caches its failure response to the unauthorised client in the packet cache]
Apr 27 15:42:49 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache HIT
[pdns-server replies to the authorised client with the packetcache contents, which are wrong for it]
Apr 27 15:42:50 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache HIT
Apr 27 15:42:51 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache HIT
Apr 27 15:42:52 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache HIT
Apr 27 15:42:52 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache HIT
[... I pound away on it, then wait a few seconds for the packetcache to clear ...]
Apr 27 15:42:59 Remote ::ffff:127.0.0.1 wants 'www.cnn.com|A', do = 0, bufsize = 1680: packetcache MISS
[This returns the correct result]

It looks to me like the packetcache entries need to be tagged with a flag whether the client is authorised to recurse or not. Or perhaps easier, there should be two packetcaches, one for recursion-authorised clients and one for unauthorised.

This is pdns-server 3.1.4-build1 and pdns-recursor 3.3-3 on Ubuntu Saucy (fresh install).

Habbie commented 10 years ago

Confirmed in pdns-server 9acbb39. It also appears we may not be decreasing the TTL correctly while answering from the packet cache.