search

networkservicemesh / fanout

Repository for the coredns fanout plugin used by Network Service Mesh
Apache License 2.0
19 stars 18 forks source link

SERVFAIL with TLS #41

Closed Funami580 closed 3 months ago

Funami580 commented 3 years ago

Corefile config

.:5305 { 
    fanout . tls://9.9.9.9 {
       tls-server dns.quad9.net
    }
}

.:5306 { 
    fanout . 1.1.1.1
}

.:5307 { 
    forward . tls://9.9.9.9 {
       tls_servername dns.quad9.net
    }
}

Result fanout with tls: not working

$ drill archlinux.org @127.0.0.1 -p 5305
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 38154
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; archlinux.org.       IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 301 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 13 22:38:23 2021
;; MSG SIZE  rcvd: 31

With logs and errors enabled:

Oct 13 22:42:32 name coredns[1202070]: CoreDNS-1.8.6
Oct 13 22:42:32 name coredns[1202070]: linux/amd64, go1.17.1, 796d2e4
Oct 13 22:42:45 name coredns[1202070]: [INFO] 127.0.0.1:37213 - 33130 "A IN archlinux.org. udp 31 false 512" - - 0 0.300800212s
Oct 13 22:42:45 name coredns[1202070]: [ERROR] plugin/errors: 2 archlinux.org. A: attempt limit has been reached

Result fanout without tls: works

$ drill archlinux.org @127.0.0.1 -p 5306
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37250
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; archlinux.org.       IN      A

;; ANSWER SECTION:
archlinux.org.  1759    IN      A       95.217.163.246

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 6 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 13 22:40:20 2021
;; MSG SIZE  rcvd: 60

Result forward with tls: works

$ drill archlinux.org @127.0.0.1 -p 5307
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26425
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; archlinux.org.       IN      A

;; ANSWER SECTION:
archlinux.org.  35259   IN      A       95.217.163.246

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 71 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 13 22:40:56 2021
;; MSG SIZE  rcvd: 60
Funami580 commented 3 years ago

Worked around the issue with:

.:53 { 
    fanout . 127.0.0.1:5301
}

.:5301 { 
    forward . tls://9.9.9.9 {
       tls_servername dns.quad9.net
    }
}
denis-tingaikin commented 3 years ago

@Funami580 This is interesting issue, I think it should be reopened.

denis-tingaikin commented 3 years ago

@Funami580 Do you have an idea where problem can be in code?

denis-tingaikin commented 3 years ago

Also interesting... Is corefile

    fanout . tls://9.9.9.9 {
       tls-server dns.quad9.net
    }

working correctly?

Funami580 commented 3 years ago

Do you have an idea where problem can be in code?

No, but once https://github.com/networkservicemesh/fanout/pull/37 is merged, it is possible to see a more detailed error message, I guess.

Is corefile [...] working correctly?

Didn't I test that already with

.:5305 { 
    fanout . tls://9.9.9.9 {
       tls-server dns.quad9.net
    }
}

?

denis-tingaikin commented 3 years ago

No, but once #37 is merged, it is possible to see a more detailed error message, I guess.

There was a minor comment related to error messages. Finally merged.

denis-tingaikin commented 3 years ago

@Funami580 #37 is merged. Could you please retest the setup and provide new logs?
Thanks!

Funami580 commented 3 years ago 
Oct 17 19:27:42 name coredns[176385]: [ERROR] plugin/errors: 2 archlinux.org. A: attempt limit has been reached, last err: dial tcp-tls: unknown network tcp-tls