[Bug]: DnsPinMiddleware.php uses wrong concept of handling failed DNS responses

[uwedisch]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

If in DnsPinMiddleware.php in private function dnsResolve() retrieving the SOA record works and for some reason, for example because of packet loss, dnsResolve() doesn't return IP addresses with the second run the DNS record is negatively cached for the time of the minimum ttl of the SOA record.

The current implementation protects against missing IP addresses, i.e. missing DNS responses, with the minimum TTL of the SOA record. This implementation isn't correct.

Steps to reproduce

1. Try an update of apps or installation of apps.
2. Have missing DNS responses by accident.
3. Now you are not able to do updates or installation of apps for 24 hours for example with Github sources.

Expected behavior

DNS pinning should protect against modified IP addresses with a user configurable TTL.

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

None

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 28.0.1 to 28.0.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[uwedisch]

Setting dnsNegativeTtl unconditional to null in line 59 of DnsPinMiddleware.php is a workaround.