search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.86k stars 401 forks source link

Inconsistent answers for "ANY" queries #730

Closed noseshimself closed 8 months ago

noseshimself commented 9 months ago

v 11.4.1

If I query the server (authoritative, primary) I'm sometimes getting an answer, sometimes not:

ap@term:~$ host -t ANY  www.bnc.net 194.39.192.125
Using domain server:
Name: 194.39.192.125
Address: 194.39.192.125#53
Aliases: 

www.bnc.net mail is handled by 10 mail-in.bnc.net.
www.bnc.net mail is handled by 50 mailomat.net.
www.bnc.net has address 81.20.89.254
ap@term:~$ host -t ANY  www.bnc.net 194.39.192.125
Trying "www.bnc.net"
Using domain server:
Name: 194.39.192.125
Address: 194.39.192.125#53
Aliases: 

Host www.bnc.net not found: 4(NOTIMP)
Received 29 bytes from 194.39.192.125#53 in 35 ms

(-t ANY because I wanted to see if three is a difference between that and -a)

Something similar is happening if I'm using dig so it's not depending on the implementation of the query tool.

Anything I should check?

ShreyasZare commented 9 months ago

Thanks for the feedback. I would recommend to use the built in DNS client tab on the DNS admin panel and try to reproduce this. Let me know what output you get with the DNS client for ANY query.

noseshimself commented 9 months ago

Let me ask a different question first:

How should the server react to a query for type ANY?

As far as I can see all questions from random clients on the internet for authoritative local zones are silently dropped and not even showing up in the log if "Log All Queries" has been activated.

Using the built-in client

image

I'm getting the correct answer

{
  "Metadata": {
    "NameServer": "localhost (127.0.0.1)",
    "Protocol": "Tcp",
    "DatagramSize": "105 bytes",
    "RoundTripTime": "1.89 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "NoError",
    "Version": 0,
    "Flags": "None",
    "Options": []
  },
  "Identifier": 0,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": true,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": false,
  "RCODE": "NoError",
  "QDCOUNT": 1,
  "ANCOUNT": 3,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "www.bnc.net",
      "Type": "ANY",
      "Class": "IN"
    }
  ],
  "Answer": [
    {
      "Name": "www.bnc.net",
      "Type": "MX",
      "Class": "IN",
      "TTL": "259200 (3 days)",
      "RDLENGTH": "12 bytes",
      "RDATA": {
        "Preference": 10,
        "Exchange": "mail-in.bnc.net"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "www.bnc.net",
      "Type": "MX",
      "Class": "IN",
      "TTL": "259200 (3 days)",
      "RDLENGTH": "13 bytes",
      "RDATA": {
        "Preference": 50,
        "Exchange": "mailomat.net"
      },
      "DnssecStatus": "Disabled"
    },
    {
      "Name": "www.bnc.net",
      "Type": "A",
      "Class": "IN",
      "TTL": "259200 (3 days)",
      "RDLENGTH": "4 bytes",
      "RDATA": {
        "IPAddress": "81.20.89.254"
      },
      "DnssecStatus": "Disabled"
    }
  ],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "0 bytes",
      "RDATA": {
        "Options": []
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

but I also ran a bash in the container and installed dnsutils doing 

root@ns:/opt/technitium/dns# host -a www.bnc.net
Trying "www.bnc.net"
Host www.bnc.net not found: 4(NOTIMP)
Received 29 bytes from 127.0.0.11#53 in 8 ms
root@ns:/opt/technitium/dns#

shows that something is not working as expected. This also explains seemingly random failure of applications on machines using this server for resolution. I'm flying blind; I installed tcpdump inside the container too and can see incoming DNS queries inside the container:

IP 217.7.50.222.53159 > 172.16.20.1.53: Flags [P.], seq 1:32, ack 1, win 229, options [nop,nop,TS val 106271012 ecr 3017458173], length 31 13490+ ANY? www.bnc.net. (29)

(warning -- feature request for logging options coming)

ShreyasZare commented 9 months ago

Thanks for the details. It seems that the responses with NOTIMP response code are coming from some other DNS server/sub resolver somewhere on the network.

This is since, the DNS server returns NOTIMP response code in only one place in entire codebase that too is returned only for unimplemented OPCODE. The DNS Server cannot return NOTIMP response for ANY query. Which is why you don't see that response when querying on the same server (using DNS Client).

noseshimself commented 9 months ago

censored

I guess we can close this; I promise to never use any Ubuntu or derived products ever again; their resolver is giving me cramps.

ShreyasZare commented 9 months ago

censored

I guess we can close this; I promise to never use any Ubuntu or derived products ever again; their resolver is giving me cramps.

I am not sure if its Ubuntu since I am using it in many places in production deployment of DNS server. The issue could be any thing like network gear which hijack DNS requests. Most common is home wifi routers that hijack DNS by default when in access point mode. So, it can be anything like that including your ISP doing same.

noseshimself commented 9 months ago

I am not sure if its Ubuntu since I am using it in many places in production deployment of DNS server

My problem is (and always has been) following the convoluted ways of DNS resolutions with that stupid 127.0.0.53 nonsense. DNS has to be plain and simple.