search

matrix-org / matrix-federation-tester

Tester for matrix federation written in golang.
77 stars 17 forks source link

Use authoritative DNS server for SRV lookup #135

Closed mpldr closed 1 year ago

mpldr commented 1 year ago

When adjusting the DNS settings immediate feedback is preferable to have over a response a few milliseconds faster. To achieve this, parse the NS records of the standard nameserver and query the specified server.

This does not reflect nameserver changes immediately but these are few and far between.

In case of any errors during the NS lookup, the default resolver is used.

mpldr commented 1 year ago

The result will be that it uses the co.uk Nameservers, so ns{a-d,1-4}.nic.uk which will fail to resolve it. Thanks for pointing that out. I'll think about how to best solve this. Maybe just falling back to the current behaviour to handle subdomains like co.uk would be the best solution.

-- Moritz Poldrack https://moritz.sh

clokep commented 1 year ago

https://publicsuffix.org/ can be useful to find "Top"-level domains.

reivilibre commented 1 year ago

I wonder if, given abc.def.xyz.co.uk, you first try NS abc.def.xyz.co.uk, then try NS def.xyz.co.uk, then try NS xyz.co.uk... if that would work properly. It's a bit of a brute force solution. I don't know DNS intricately enough to say whether this is right...

mpldr commented 1 year ago

That's a good idea, we have to check whether this resolves CNAMES though. At least dig follows them by default

$ dig helios.something.another-thing.domain-1.com NS
helios.something.another-thing.domain-1.com. 86384 IN   CNAME   helios.domain-2.com.
domain-2.com.       884 IN  SOA ns1.domain-2.com. abuse\@domain-2.com. 1677641426 3600 600 1209600 3600
richvdh commented 1 year ago

It's worth noting that even if you look at the server in the NS record, you may still get a cached result, because you may hit a secondary DNS server.

DNS is a complicated beast, and there are pitfalls aplenty in re-implementing it. I fear that this may introduce a whole lot more bugs and edge-cases.

mpldr commented 1 year ago

and there are pitfalls aplenty in re-implementing it

To be fair, most won't apply to the federation tester. Maybe a somewhat odd CNAME setup will probably be the strangest we encounter. Worst case is the current behaviour, which I will add as a fallback.

richvdh commented 1 year ago

Thanks for the contribution, but per my earlier comments, I'm not in favour of this change.