search

abh / geodns

DNS server with per-client targeted responses
Apache License 2.0
1.39k stars 193 forks source link

Bug) Incorrect GSLB result for Cloudflare DNS ( 1.1.1.1 ) #132

Open ghost opened 2 years ago

ghost commented 2 years ago

Hello,

I think geodns doesn't work when clients are querying DNS records via 1.1.1.1 dns

Test results

root@localhost:~# which dig
/usr/bin/dig
root@localhost:~# dig pool.ntp.org @1.1.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> pool.ntp.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34920
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pool.ntp.org.                  IN      A

;; ANSWER SECTION:
pool.ntp.org.           133     IN      A       213.231.5.55
pool.ntp.org.           133     IN      A       200.89.75.197
pool.ntp.org.           133     IN      A       109.74.192.97
pool.ntp.org.           133     IN      A       211.233.84.186

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Apr 08 23:19:57 UTC 2022
;; MSG SIZE  rcvd: 105

root@localhost:~# ping 213.231.5.55
PING 213.231.5.55 (213.231.5.55) 56(84) bytes of data.
64 bytes from 213.231.5.55: icmp_seq=1 ttl=53 time=250 ms
64 bytes from 213.231.5.55: icmp_seq=2 ttl=53 time=250 ms
^C
--- 213.231.5.55 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 249.610/249.961/250.313/0.351 ms
root@localhost:~# ping 200.89.75.197
PING 200.89.75.197 (200.89.75.197) 56(84) bytes of data.
64 bytes from 200.89.75.197: icmp_seq=1 ttl=56 time=267 ms
^C
--- 200.89.75.197 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1001ms
rtt min/avg/max/mdev = 266.621/266.621/266.621/0.000 ms
root@localhost:~# ping 109.74.192.97
PING 109.74.192.97 (109.74.192.97) 56(84) bytes of data.
64 bytes from 109.74.192.97: icmp_seq=1 ttl=55 time=236 ms
^C
--- 109.74.192.97 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1002ms
rtt min/avg/max/mdev = 236.298/236.298/236.298/0.000 ms
root@localhost:~# ping 211.233.84.186
PING 211.233.84.186 (211.233.84.186) 56(84) bytes of data.
64 bytes from 211.233.84.186: icmp_seq=1 ttl=54 time=33.3 ms
64 bytes from 211.233.84.186: icmp_seq=2 ttl=54 time=33.2 ms
^C
--- 211.233.84.186 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 33.228/33.249/33.270/0.021 ms
root@localhost:~# dig pool.ntp.org

; <<>> DiG 9.16.1-Ubuntu <<>> pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32438
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pool.ntp.org.                  IN      A

;; ANSWER SECTION:
pool.ntp.org.           75      IN      A       162.159.200.1
pool.ntp.org.           75      IN      A       203.112.25.169
pool.ntp.org.           75      IN      A       194.0.5.123
pool.ntp.org.           75      IN      A       133.243.238.163

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Apr 08 23:21:08 UTC 2022
;; MSG SIZE  rcvd: 105

Querying from japan region server would return incorrect answers when the records are returned by 1.1.1.1,

while it just works normally with the default DNS server provided by ISP.

abh commented 2 years ago

Sounds like an issue with the GeoIP data or one of the particular installations, not really the geodns software. (So maybe better for community.ntppool.org). But all the same:

Cloudflare doesn't support EDNS-CLIENT-SUBNET, so we'll use the geoip data/location of their DNS server.

Can you do a query for dig -t txt _country.pool.ntp.org (maybe do a couple, they might have different results)?

ghost commented 2 years ago 
ubuntu@ubuntu:~$ dig -t txt _country.pool.ntp.org @1.1.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> -t txt _country.pool.ntp.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39059
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_country.pool.ntp.org.         IN      TXT

;; ANSWER SECTION:
_country.pool.ntp.org.  1       IN      TXT     "[2400:cb00:382:1024::ac46:79a3]:47772" "2400:cb00:382:1024::ac46:79a3" "jp asia @" "/0" "nue2" "178.63.120.205" "()"

;; Query time: 247 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 09 16:20:45 JST 2022
;; MSG SIZE  rcvd: 166

ubuntu@ubuntu:~$ dig -t txt _country.pool.ntp.org

; <<>> DiG 9.16.1-Ubuntu <<>> -t txt _country.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10100
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_country.pool.ntp.org.         IN      TXT

;; ANSWER SECTION:
_country.pool.ntp.org.  5       IN      TXT     "<redacted>" "<redacted>" "jp asia @" "/0" "147.75.94.227" "147.75.94.227" "()"

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Apr 09 16:20:55 JST 2022
;; MSG SIZE  rcvd: 140

@abh Sure, here is the result