Project

General

Profile

Actions

Bug #11595

closed

Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit

Added by Tyler Szabo about 3 years ago. Updated about 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
03/02/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Query to pfSense:

$ drill logincdn.msauth.net
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 27105
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; logincdn.msauth.net. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 618 msec
;; SERVER: <SERVER>
;; WHEN: Mon Mar  1 23:45:27 2021
;; MSG SIZE  rcvd: 37

DNS Resolver logs (log level 3):
Mar 1 23:45:29     unbound     82632:1     debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply 
Mar 1 23:45:29     unbound     82632:1     info: iterator operate: query logincdn.msauth.net. A IN
Mar 1 23:45:29     unbound     82632:1     info: iterator operate: chased to edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. A IN
Mar 1 23:45:29     unbound     82632:1     info: response for logincdn.msauth.net. A IN
Mar 1 23:45:29     unbound     82632:1     info: reply from <trafficmanager.net.> 204.79.195.41#53
Mar 1 23:45:29     unbound     82632:1     info: query response was CNAME
Mar 1 23:45:29     unbound     82632:1     info: resolving logincdn.msauth.net. A IN
Mar 1 23:45:29     unbound     82632:1     debug: request has exceeded the maximum number of query restarts with 9
Mar 1 23:45:29     unbound     82632:1     debug: return error response SERVFAIL
Mar 1 23:45:29     unbound     82632:1     debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 1 23:45:29     unbound     82632:1     info: validator operate: query logincdn.msauth.net. A IN
Mar 1 23:45:29     unbound     82632:1     debug: cache memory msg=104673 rrset=189418 infra=67839 val=80539

Trace showing 9 CNAME records must be resolved before the final answer with an A record (nb. there are duplicates because some responses include multiple records in the answer and drill doesn't use that optimization):

$ drill -T logincdn.msauth.net
.       518400  IN      NS      g.root-servers.net.
.       518400  IN      NS      l.root-servers.net.
.       518400  IN      NS      b.root-servers.net.
.       518400  IN      NS      m.root-servers.net.
.       518400  IN      NS      d.root-servers.net.
.       518400  IN      NS      k.root-servers.net.
.       518400  IN      NS      e.root-servers.net.
.       518400  IN      NS      f.root-servers.net.
.       518400  IN      NS      i.root-servers.net.
.       518400  IN      NS      j.root-servers.net.
.       518400  IN      NS      h.root-servers.net.
.       518400  IN      NS      c.root-servers.net.
.       518400  IN      NS      a.root-servers.net.
net.    172800  IN      NS      c.gtld-servers.net.
net.    172800  IN      NS      m.gtld-servers.net.
net.    172800  IN      NS      k.gtld-servers.net.
net.    172800  IN      NS      j.gtld-servers.net.
net.    172800  IN      NS      h.gtld-servers.net.
net.    172800  IN      NS      i.gtld-servers.net.
net.    172800  IN      NS      g.gtld-servers.net.
net.    172800  IN      NS      d.gtld-servers.net.
net.    172800  IN      NS      f.gtld-servers.net.
net.    172800  IN      NS      l.gtld-servers.net.
net.    172800  IN      NS      e.gtld-servers.net.
net.    172800  IN      NS      b.gtld-servers.net.
net.    172800  IN      NS      a.gtld-servers.net.
msauth.net.     172800  IN      NS      a28-64.akam.net.
msauth.net.     172800  IN      NS      a5-65.akam.net.
msauth.net.     172800  IN      NS      a9-66.akam.net.
msauth.net.     172800  IN      NS      a1-115.akam.net.
msauth.net.     172800  IN      NS      ns1-05.azure-dns.com.
msauth.net.     172800  IN      NS      ns2-05.azure-dns.net.
msauth.net.     172800  IN      NS      ns3-05.azure-dns.org.
msauth.net.     172800  IN      NS      ns4-05.azure-dns.info.
logincdn.msauth.net.    300     IN      CNAME   lgincdn.trafficmanager.net.
trafficmanager.net.     172800  IN      NS      tm1.edgedns-tm.info.
trafficmanager.net.     172800  IN      NS      tm2.edgedns-tm.info.
trafficmanager.net.     172800  IN      NS      tm1.dns-tm.com.
trafficmanager.net.     172800  IN      NS      tm2.dns-tm.com.
lgincdn.trafficmanager.net.     30      IN      CNAME   lgincdnmsftuswe2.azureedge.net.
azureedge.net.  172800  IN      NS      ns2prod.6893.azuredns-prd.info.
azureedge.net.  172800  IN      NS      ns1prod.6893.azuredns-prd.info.
azureedge.net.  172800  IN      NS      ns2prod.6893.azuredns-prd.org.
azureedge.net.  172800  IN      NS      ns1prod.6893.azuredns-prd.org.
lgincdnmsftuswe2.azureedge.net. 1800    IN      CNAME   lgincdnmsftuswe2.afd.azureedge.net.
afd.azureedge.net.      3600    IN      NS      ns3-04.azure-dns.org.
afd.azureedge.net.      3600    IN      NS      ns2-04.azure-dns.net.
afd.azureedge.net.      3600    IN      NS      ns4-04.azure-dns.info.
afd.azureedge.net.      3600    IN      NS      ns1-04.azure-dns.com.
lgincdnmsftuswe2.afd.azureedge.net.     30      IN      CNAME   star-azureedge-prod.trafficmanager.net.
star-azureedge-prod.trafficmanager.net. 30      IN      CNAME   dual.t-0009.t-msedge.net.
t-msedge.net.   172800  IN      NS      ns1.t-msedge.net.
t-msedge.net.   172800  IN      NS      ns2.t-msedge.net.
dual.t-0009.t-msedge.net.       240     IN      CNAME   t-0009.t-msedge.net.
t-0009.t-msedge.net.    60      IN      CNAME   Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net.
Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net.       240     IN      CNAME   edge-prod-wstr3.ctrl.t-0001.trafficmanager.net.
t-0009.t-msedge.net.    60      IN      CNAME   Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net.
Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net.       240     IN      CNAME   edge-prod-wstr3.ctrl.t-0001.trafficmanager.net.
Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net.       240     IN      CNAME   edge-prod-wstr3.ctrl.t-0001.trafficmanager.net.
edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. 0       IN      CNAME   standard.t-0009.t-msedge.net.
standard.t-0009.t-msedge.net.   240     IN      A       13.107.246.19
standard.t-0009.t-msedge.net.   240     IN      A       13.107.213.19

Files

dns-trace.txt (36.5 KB) dns-trace.txt Tyler Szabo, 03/02/2021 01:56 AM

Related issues

Has duplicate Bug #12946: Unbound will not resolve long CNAME chainsDuplicate

Actions
Actions #1

Updated by Tyler Szabo about 3 years ago

Title should read "Unbound" not sure how I got "Unblound" in there.

Actions #2

Updated by Jim Pingle about 3 years ago

  • Subject changed from Unblound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit to Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit
  • Status changed from New to Not a Bug

Turn off "Query Name Minimization" in the Unbound advanced settings. With that off I can resolve the host you show, with that on it doesn't resolve.

Otherwise, report it upstream to Unbound, beyond that it's not a settings issue so out of our control.

Actions #3

Updated by Tyler Szabo about 3 years ago

Query Name Minimization was disabled for me and I just checked both states and it appears to still occur. It's possible that you had a different set of responses from where you tested and didn't reproduce the same issue.

With that said, this is indeed something that would either need to be fixed upstream or patched for the pfSense build of Unbound as there's no configuration change that can resolve it.

I think this is still a bug because the only fix is to stop doing recursive resolution or use another DNS server but I'm not sure how upstream bugs are tracked here.

Actions #4

Updated by Jim Pingle about 3 years ago

Tyler Szabo wrote:

Query Name Minimization was disabled for me and I just checked both states and it appears to still occur. It's possible that you had a different set of responses from where you tested and didn't reproduce the same issue.

I tried it several times and I could only reproduce it with that option enabled. Googling the error you had in your logs also only produced hits where users had that option enabled as well.

With that said, this is indeed something that would either need to be fixed upstream or patched for the pfSense build of Unbound as there's no configuration change that can resolve it.

I think this is still a bug because the only fix is to stop doing recursive resolution or use another DNS server but I'm not sure how upstream bugs are tracked here.

Generally speaking we do not track upstream bugs of this nature unless they have a significant negative impact on a large portion of the user base, they'd have to be reported directly upstream.

Actions #5

Updated by Jim Pingle about 2 years ago

  • Has duplicate Bug #12946: Unbound will not resolve long CNAME chains added
Actions

Also available in: Atom PDF