search

hildjj / dohdec

Lookup and decode DNS records using DNS-over-HTTPS (DoH)
MIT License
21 stars 5 forks source link

How best to handle edge case of truncated response? #40

Closed titanism closed 1 year ago

titanism commented 1 year ago

If flags_tc is true, how would you recommend to handle the truncated response? Emit a dns.BADRESP or dns.FORMERR error? Or retry with TCP (although that would break DoH trust). Reference code at https://github.com/EduardoRuizM/native-dnssec-dns/blob/fc27face6c64ab53675840bafc81f70bab48a743/lib/client.js#L352-L366.

hildjj commented 1 year ago

Hm. RFC 8484 says:

   A DoH server is allowed to answer queries with any valid DNS
   response.  For example, a valid DNS response might have the TC
   (truncation) bit set in the DNS header to indicate that the server
   was not able to retrieve a full answer for the query but is providing
   the best answer it could get.

So just switching to TCP might not solve the problem.

titanism commented 1 year ago

It seems like this is almost never going to be the case with DoH in real-world usage. Cloudflare and Google both explicitly state this is almost always false:

Cloudflare:

Screen Shot 2023-02-26 at 7 52 18 PM

https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/#successful-response

Google:

Screen Shot 2023-02-26 at 7 53 22 PM

https://developers.google.com/speed/public-dns/docs/secure-transports#truncation