ncruces / go-dns

net.Resolvers with caching, opportunistic encryption, and DoT/DoH
https://pkg.go.dev/github.com/ncruces/go-dns
MIT License
41 stars 8 forks source link

127.0.0.1:53: server misbehaving #12

Closed powellnorma closed 1 year ago

powellnorma commented 1 year ago

For a specific domain (roboflow.com) I get the above error. I tried with different resolver endpoints: Cloudflare DoT, Cloudflare DoH, quad9 DoT - But the error always stays the same: lookup roboflow.com on 127.0.0.1:53: server misbehaving.

When I try another domain (e.g. google.com or even media.roboflow.com), it works fine.

Is this an bug in this library? Or an unsupported feature the DNS server uses?

Maybe it is because of the "Comment" attribute, or the missing "Authority" attribute? (The domain has no AAAA records)

$ curl -s -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=roboflow.com&type=AAAA" | jq
..
  "Comment": [
    "EDE(6): DNSSEC Bogus (proof of non-existence of roboflow.com. AAAA)"
  ]
}

Can you please have a look? Thank you!

package main

import (
    "fmt"
    "net"

    dns "github.com/ncruces/go-dns"
)

func main() {
    resolver, err := dns.NewDoTResolver("cloudflare-dns.com", dns.DoTAddresses("1.1.1.1", "1.0.0.1"))
    // resolver, err := dns.NewDoTResolver("dns.quad9.net")
    // resolver, err := dns.NewDoHResolver("https://cloudflare-dns.com/dns-query")
    if err != nil {
        panic(err)
    }
    net.DefaultResolver = resolver

    host := "roboflow.com"
    // host := "google.com"  // works
    l, err := net.LookupHost(host)
    if err != nil {
        panic(err)
    }
    fmt.Printf("IPs: %v\n", l)
}
ncruces commented 1 year ago

Yes, it's because of DNSSEC.

I'm setting resolver.StrictErrors to true which in retrospect may be a bad default. You can change it yourself, just add resolver.StrictErrors = false before setting the net.DefaultResolver.