no_default_search_domain does not take effect

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy

https://www.envoyproxy.io

Apache License 2.0

25.01k stars 4.81k forks source link

no_default_search_domain does not take effect #33138

Open parbres opened 7 months ago

parbres commented 7 months ago

no_default_search_domain in dns_resolver_options does not take effect

Description: I am using dynamic_forward_proxy cluster, and sub_clusters_config is selected. To suppress too many request towards local DNS, I configured DNS resolver in cluster level

But the test result is that envoy still search the default domain, and dns resolution failed in my case. my host name in request is: a.com my expectation is envoy query a.com directly to my configured dns server the result is envoy query a.com.mynamespace.svc.cluster.local, mynamespace.svc.cluster.local is the first records in my /etc/resolv.conf

in my /etc/resolv.conf: search mynamespace.svc.cluster.local svc.cluster.local cluster.local abcd nameserver 1.1.1.1 options ndots:5

yanavlasov commented 7 months ago

I've added help wanted label, in case someone wanted to diagnose the problem here. It could be an issue with the ares library too. I will take a look when I have time.

arulthileeban commented 4 months ago

Believe this is stemming from c-ares and there is already a fix: https://github.com/c-ares/c-ares/pull/638. The issue occurs with both static/dynamic clusters in the current version (v1.21.0), but upgrading to the latest 1.31.0 fixes the issue at hand, which I've manually been able to test.

I can raise a PR to upgrade the library to the latest version, unless there's any objections

EDIT: There seems to be a PR #33880 already to upgrade to a required version for this, but tests seem to break for ARM. I can look further

jpmca12 commented 4 months ago

@arulthileeban: any update? we are looking for fix for CVE-2024-25629 which is present in c-ares 1.27.0 https://github.com/c-ares/c-ares/releases/tag/cares-1_27_0

thanks for your help.

arulthileeban commented 4 months ago

Sorry, forgot about this one. Just checked with the latest version and a bunch of tests are failing against it. I'll spend the coming weekend looking into what changed in c-ares to try to fix this.

jpmca12 commented 3 months ago

@arulthileeban kind check to see if you have any updates. thanks!

yanavlasov commented 3 months ago

There are issues updating c-ares to newer versions due to incompatibility with gRPC. We will need to wait for gRPC to update their version of c-ares (which is 1.19 at this point) before we can move on.

It is possible we can update up to 1.26, but not sure.