Bug #11595
closed
Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit
0%
Description
Query to pfSense:
$ drill logincdn.msauth.net ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 27105 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; logincdn.msauth.net. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 618 msec ;; SERVER: <SERVER> ;; WHEN: Mon Mar 1 23:45:27 2021 ;; MSG SIZE rcvd: 37
DNS Resolver logs (log level 3):
Mar 1 23:45:29 unbound 82632:1 debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply Mar 1 23:45:29 unbound 82632:1 info: iterator operate: query logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 info: iterator operate: chased to edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. A IN Mar 1 23:45:29 unbound 82632:1 info: response for logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 info: reply from <trafficmanager.net.> 204.79.195.41#53 Mar 1 23:45:29 unbound 82632:1 info: query response was CNAME Mar 1 23:45:29 unbound 82632:1 info: resolving logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 debug: request has exceeded the maximum number of query restarts with 9 Mar 1 23:45:29 unbound 82632:1 debug: return error response SERVFAIL Mar 1 23:45:29 unbound 82632:1 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Mar 1 23:45:29 unbound 82632:1 info: validator operate: query logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 debug: cache memory msg=104673 rrset=189418 infra=67839 val=80539
Trace showing 9 CNAME records must be resolved before the final answer with an A record (nb. there are duplicates because some responses include multiple records in the answer and drill doesn't use that optimization):
$ drill -T logincdn.msauth.net . 518400 IN NS g.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS a.root-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. msauth.net. 172800 IN NS a28-64.akam.net. msauth.net. 172800 IN NS a5-65.akam.net. msauth.net. 172800 IN NS a9-66.akam.net. msauth.net. 172800 IN NS a1-115.akam.net. msauth.net. 172800 IN NS ns1-05.azure-dns.com. msauth.net. 172800 IN NS ns2-05.azure-dns.net. msauth.net. 172800 IN NS ns3-05.azure-dns.org. msauth.net. 172800 IN NS ns4-05.azure-dns.info. logincdn.msauth.net. 300 IN CNAME lgincdn.trafficmanager.net. trafficmanager.net. 172800 IN NS tm1.edgedns-tm.info. trafficmanager.net. 172800 IN NS tm2.edgedns-tm.info. trafficmanager.net. 172800 IN NS tm1.dns-tm.com. trafficmanager.net. 172800 IN NS tm2.dns-tm.com. lgincdn.trafficmanager.net. 30 IN CNAME lgincdnmsftuswe2.azureedge.net. azureedge.net. 172800 IN NS ns2prod.6893.azuredns-prd.info. azureedge.net. 172800 IN NS ns1prod.6893.azuredns-prd.info. azureedge.net. 172800 IN NS ns2prod.6893.azuredns-prd.org. azureedge.net. 172800 IN NS ns1prod.6893.azuredns-prd.org. lgincdnmsftuswe2.azureedge.net. 1800 IN CNAME lgincdnmsftuswe2.afd.azureedge.net. afd.azureedge.net. 3600 IN NS ns3-04.azure-dns.org. afd.azureedge.net. 3600 IN NS ns2-04.azure-dns.net. afd.azureedge.net. 3600 IN NS ns4-04.azure-dns.info. afd.azureedge.net. 3600 IN NS ns1-04.azure-dns.com. lgincdnmsftuswe2.afd.azureedge.net. 30 IN CNAME star-azureedge-prod.trafficmanager.net. star-azureedge-prod.trafficmanager.net. 30 IN CNAME dual.t-0009.t-msedge.net. t-msedge.net. 172800 IN NS ns1.t-msedge.net. t-msedge.net. 172800 IN NS ns2.t-msedge.net. dual.t-0009.t-msedge.net. 240 IN CNAME t-0009.t-msedge.net. t-0009.t-msedge.net. 60 IN CNAME Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. t-0009.t-msedge.net. 60 IN CNAME Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. 0 IN CNAME standard.t-0009.t-msedge.net. standard.t-0009.t-msedge.net. 240 IN A 13.107.246.19 standard.t-0009.t-msedge.net. 240 IN A 13.107.213.19
Files
Related issues
Updated by Tyler Szabo about 4 years ago
Title should read "Unbound" not sure how I got "Unblound" in there.
Updated by Jim Pingle about 4 years ago
- Subject changed from Unblound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit to Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit
- Status changed from New to Not a Bug
Turn off "Query Name Minimization" in the Unbound advanced settings. With that off I can resolve the host you show, with that on it doesn't resolve.
Otherwise, report it upstream to Unbound, beyond that it's not a settings issue so out of our control.
Updated by Tyler Szabo about 4 years ago
Query Name Minimization was disabled for me and I just checked both states and it appears to still occur. It's possible that you had a different set of responses from where you tested and didn't reproduce the same issue.
With that said, this is indeed something that would either need to be fixed upstream or patched for the pfSense build of Unbound as there's no configuration change that can resolve it.
I think this is still a bug because the only fix is to stop doing recursive resolution or use another DNS server but I'm not sure how upstream bugs are tracked here.
Updated by Jim Pingle about 4 years ago
Tyler Szabo wrote:
Query Name Minimization was disabled for me and I just checked both states and it appears to still occur. It's possible that you had a different set of responses from where you tested and didn't reproduce the same issue.
I tried it several times and I could only reproduce it with that option enabled. Googling the error you had in your logs also only produced hits where users had that option enabled as well.
With that said, this is indeed something that would either need to be fixed upstream or patched for the pfSense build of Unbound as there's no configuration change that can resolve it.
I think this is still a bug because the only fix is to stop doing recursive resolution or use another DNS server but I'm not sure how upstream bugs are tracked here.
Generally speaking we do not track upstream bugs of this nature unless they have a significant negative impact on a large portion of the user base, they'd have to be reported directly upstream.
Updated by Jim Pingle about 3 years ago
- Has duplicate Bug #12946: Unbound will not resolve long CNAME chains added