pralor-bot
commented
1 year ago This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
Closed NickJLange closed 1 year ago
pralor-bot
commented
1 year ago This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
DL6ER
commented
1 year ago Sorry for our first reply having taken so long. I had a quick look about two weeks ago but missed an important details: It is a dnsmasq not a (at least not a "native") pihole-FTL issue. Unfortunately, we won't be able to do much about it and I as much as I really hate to say "not my business", I still feel you should speak up at https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss - especially since you already have lots of details available (esp. the unbound logs showing what is going on).
One thing you could do beforehand would be enabling the embedded pcap packet dumping. I'll reply to you about this in the linked Discourse discussion as things can be formatted more nicely over there. I will furthermore mark this ticket as an external issue but we can still leave it open until we incorporated the fix from dnsmasq upstream once ready.
Bucking-Horn
commented
1 year ago The Discourse topic discussion revealed that NickJLange runs two instances of unbound.
The unbound configuration as shared above looks faulty, which may have contributed to NickJLange's observation, particularly if only one of the unbound instances has been using that configuration:
root@cnamed2:~# cat /etc/unbound/unbound.conf.d/localzone-myhouse.privatedomain.com.conf (...) local-data: "cnamed.myhouse.privatedomain.com. IN A 192.168.1104" local-data: "canmed.myhouse.privatedomain.com. TXT 'Cheese' " local-data: "nodered.myhouse.privatedomain.com. CNAME cnamed.myhouse.privatedomain.com."
192.168.1104 is not a valid IP address, and canmed seems like a twisted cnamed.
Bucking-Horn
commented
1 year ago It seems that -being a recursive resolver rather than an authoritative one- unbound does not expand CNAMEs from local definitions, which would prompt the behaviour you observe.
See e.g. https://lists.nlnetlabs.nl/pipermail/unbound-users/2009-March/000509.html and https://github.com/NLnetLabs/unbound/issues/132
NickJLange
commented
1 year ago Thank you for your time and effort on pihole.
So that's sort of interesting - I'm using the container version of pihole. Just to make sure I'm not missing something - should FTL be logging under a different name? At any rate, I can raise an issue upstream.
I'll get a pcap over the weekend and update.
root@terraOmega-pihole:/var/log/pihole# grep -ri dnsmasq * | head -n 5
pihole.log:Sep 14 00:00:04 dnsmasq[240]: query[A] compute.googleapis.com from 192.168.100.110
pihole.log:Sep 14 00:00:04 dnsmasq[240]: forwarded compute.googleapis.com to 192.168.100.112#5335
pihole.log:Sep 14 00:00:04 dnsmasq[240]: query[AAAA] compute.googleapis.com from 192.168.100.110
pihole.log:Sep 14 00:00:04 dnsmasq[240]: forwarded compute.googleapis.com to 192.168.100.112#5335
pihole.log:Sep 14 00:00:04 dnsmasq[240]: reply compute.googleapis.com is 142.250.81.234The Discourse topic discussion revealed that NickJLange runs two instances of unbound.
The unbound configuration as shared above looks faulty, which may have contributed to NickJLange's observation, particularly if only one of the unbound instances has been using that configuration:
root@cnamed2:~# cat /etc/unbound/unbound.conf.d/localzone-myhouse.privatedomain.com.conf (...) local-data: "cnamed.myhouse.privatedomain.com. IN A 192.168.1104" local-data: "canmed.myhouse.privatedomain.com. TXT 'Cheese' " local-data: "nodered.myhouse.privatedomain.com. CNAME cnamed.myhouse.privatedomain.com."
192.168.1104is not a valid IP address, andcanmedseems like a twistedcnamed.
Alas, this was just a sanitization-typo (and a failed one at that!)
It seems that -being a recursive resolver rather than an authoritative one- unbound does not expand CNAMEs from local definitions, which would prompt the behaviour you observe. See e.g. https://lists.nlnetlabs.nl/pipermail/unbound-users/2009-March/000509.html and https://github.com/NLnetLabs/unbound/issues/132
This looks more promising although it doesn't explain that unbound is correctly resolving when asked directly.
Bucking-Horn
commented
1 year ago I have reproduced your issue in my environment, which spurred me on to researching unbound's behaviour (see also my more detailed comment in the original Discourse issue from last week).
Your dig above requests the A record domain (cnamed), not the CNAME domain (nodered).
Both unbound as well as Pi-hole will answer that request with an IP.
However, unbound will answer the request for the CNAME domain (nodered) with the CNAME record - it does not expand CNAMEs:
~ $ dig nodered.myhouse.lan @127.0.0.1 -p5335
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> nodered.myhouse.lan @127.0.0.1 -p5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nodered.myhouse.lan. IN A
;; ANSWER SECTION:
nodered.myhouse.lan. 3600 IN CNAME cnamed.myhouse.lan.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 14 17:34:27 CEST 2023
;; MSG SIZE rcvd: 69Consequently, this is the same answer that Pi-hole is giving you (of course):
~ $ dig nodered.myhouse.lan
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> nodered.myhouse.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nodered.myhouse.lan. IN A
;; ANSWER SECTION:
nodered.myhouse.lan. 30 IN CNAME cnamed.myhouse.lan.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 14 17:34:03 CEST 2023
;; MSG SIZE rcvd: 69This is also in line with your shared log excerpts from the Discourse discussion, which prompted me to point out that
Your log output suggests that Pi-hole has received that reply from your unbound.
It is a deliberate decision of unbound maintainer's to not expand those CNAMEs (as a guard against potential malicious intents like DNS cache poisoning, if I understood those discussions correctly that I have linked above).
So overall, I don't think this can be considered to be a bug, neither in pihole-FTL nor in dnsmasq.
NickJLange
commented
1 year ago Hi @Bucking-Horn - Thanks for spending some time here to replicate the behaviour. I agree with the premise that this behaviour is what the unbound product chose as intended behaviour of the software. Let me close the GI issue and we can move back to Discourse.
Thank you!
Versions
Platform
Expected behavior
Queries for local-zone entries will correctly resolve regardless of CNAME vs A vs AAAA query via IPv6 or IPv4 or type-queries.
Actual behavior / bug
Some form of race-condition occurs inside FTL that will get NODATA responses when, in fact, there is data from the upstream for that type
Copy/pasted from:
Steps to reproduce
Steps to reproduce the behavior:
Debug Token