Closed phillip-stephens closed 1 month ago
@zakird I hit the build-and-large-scan-test
too many times so now it's timing out. Other than that, this is ready for review, passing the tests I can think of.
While many servers do support CNAME Synthesis, I think it would be best to directly support DNAME's since synthesis was primarily designed for backwards compatibility and I think that researchers will want to know if they were actually just following a DNAME.
Sounds good, I'll add DNAME support and CNAME following on non-iterative queries!
@zakird When you have a chance, this is ready for review. I've updated the PR description, we're following DNAMEs now and I've tested external lookups.
I figure I'll wait to get rid of alookup
until we have #353 done and can perform A
and AAAA
at the same time.
It looks like
"protocol": "",
"resolver": ""
Are empty in the new code, despite being there in the old one. Can you look into?
It looks like
"protocol": "", "resolver": ""
Are empty in the new code, despite being there in the old one. Can you look into?
@zakird This definitely was the case with an older version of the code in this branch, but I believe I fixed it. Can you run git pull
and try with latest since I can't reproduce with the latest code.
echo "cloudflare.com" | ./zdns --local-addr "171.67.71.210" --name-servers "1.1.1.1" A
{"data":{"additionals":[{"flags":"","type":"EDNS0","udpsize":1232,"version":0}],"answers":[{"answer":"104.16.133.229","class":"IN","name":"cloudflare.com","ttl":253,"type":"A"},{"answer":"104.16.132.229","class":"IN","name":"cloudflare.com","ttl":253,"type":"A"}],"protocol":"udp","resolver":"1.1.1.1:53"},"name":"cloudflare.com","status":"NOERROR","timestamp":"2024-07-23T14:17:15Z"}
$ echo "cloudflare.com" | ./zdns A --iterative --local-addr "171.67.71.210" --name-servers "1.1.1.1"
{"data":{"answers":[{"answer":"104.16.133.229","class":"IN","name":"cloudflare.com","ttl":300,"type":"A"},{"answer":"104.16.132.229","class":"IN","name":"cloudflare.com","ttl":300,"type":"A"}],"protocol":"udp","resolver":"162.159.0.33:53"},"name":"cloudflare.com","status":"NOERROR","timestamp":"2024-07-23T14:17:02Z"}
I'm not sure that I follow. This is what's in the body of the PR:
{"data":{"answers":[{"answer":"grove1.prod.npr.psdops.com.","class":"IN","name":"www.wwno.org","ttl":1800,"type":"CNAME"}],"protocol":"udp","resolver":"64.125.77.13:53"},"name":"www.wwno.org","status":"NOERROR","timestamp":"2024-07-16T15:43:02Z"}
{"data":{"answers":[{"answer":"microjpm.webnode.page.","class":"IN","name":"www.microjpm.com","ttl":3600,"type":"CNAME"}],"protocol":"udp","resolver":"144.217.207.158:53"},"name":"www.microjpm.com","status":"NOERROR","timestamp":"2024-07-16T15:43:03Z"}
which does have this? If mainline doesn't do this, I don't follow how we ended up with that output.
Ohhhh, thought you were seeing this behavior on the branch. You're correct, I forgot to update the PR description. Just updated!
Resolves #347
Description
--follow-cnames=false
Testing
I found 3 domains that use CNAMES. I couldn't add a CNAME chain to
zdns-testing.com
for repeatable tests because Google Cloud "packs" the CNAME's + A records into a single answer to reduce round trips on resolution:Therefore, testing with Google Cloud doesn't work.
echo "www.wwno.org\nwww.wander-plus.com\nwww.microjpm.com" | ./zdns A --iterative
main Repo - Note how only CNAMES are returned, no A records
Phillip/347-cnames
CNAME with External Resolver
Most recursive resolvers will handle CNAMES for us:
But to prove that we're handling the CNAME traversal, we can point ZDNS to an authoritative nameserver for
wander-plus
and watch the logs:We can see that when the authoritative name server returned the CNAME, we attempted to follow it. Unfortunately, that nameserver isn't authoritative for the domain pointed to by the CNAME, but it shows the logic works. You can also see we return the last good status/result, similar to
dig
.DNAME Testing
See integration test
Turns out that DNS nameservers will perform CNAME Synthesis with DNAMES (for backwards compatibility for devices that don't support it) and our coreDNS resolver at
esrg.stanford.edu
is no different.To test the DNAME following, I inserted code to drop all CNAME answers manually. In this way, we'd only get the correct output if DNAMES were being followed.
I couldn't think of a reliable way to automate this testing, it doesn't seem that CoreDNS supports turning off CNAME Synthesis for DNAME's.
External Lookups
Here we can see when doing an external lookup against
dns-01.esrg.stanford.edu
, DNAMEs are being followed.(We first lookup a.zdns-dname.esrg.stanford.edu, and then query for
a.zdns-testing.com
, which the name server isn't authoritative for but it tests we're following it correctly.