Actions
Bug #11595
closed
Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
03/02/2021
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
Query to pfSense:
$ drill logincdn.msauth.net ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 27105 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; logincdn.msauth.net. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 618 msec ;; SERVER: <SERVER> ;; WHEN: Mon Mar 1 23:45:27 2021 ;; MSG SIZE rcvd: 37
DNS Resolver logs (log level 3):
Mar 1 23:45:29 unbound 82632:1 debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply Mar 1 23:45:29 unbound 82632:1 info: iterator operate: query logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 info: iterator operate: chased to edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. A IN Mar 1 23:45:29 unbound 82632:1 info: response for logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 info: reply from <trafficmanager.net.> 204.79.195.41#53 Mar 1 23:45:29 unbound 82632:1 info: query response was CNAME Mar 1 23:45:29 unbound 82632:1 info: resolving logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 debug: request has exceeded the maximum number of query restarts with 9 Mar 1 23:45:29 unbound 82632:1 debug: return error response SERVFAIL Mar 1 23:45:29 unbound 82632:1 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Mar 1 23:45:29 unbound 82632:1 info: validator operate: query logincdn.msauth.net. A IN Mar 1 23:45:29 unbound 82632:1 debug: cache memory msg=104673 rrset=189418 infra=67839 val=80539
Trace showing 9 CNAME records must be resolved before the final answer with an A record (nb. there are duplicates because some responses include multiple records in the answer and drill doesn't use that optimization):
$ drill -T logincdn.msauth.net . 518400 IN NS g.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS a.root-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. msauth.net. 172800 IN NS a28-64.akam.net. msauth.net. 172800 IN NS a5-65.akam.net. msauth.net. 172800 IN NS a9-66.akam.net. msauth.net. 172800 IN NS a1-115.akam.net. msauth.net. 172800 IN NS ns1-05.azure-dns.com. msauth.net. 172800 IN NS ns2-05.azure-dns.net. msauth.net. 172800 IN NS ns3-05.azure-dns.org. msauth.net. 172800 IN NS ns4-05.azure-dns.info. logincdn.msauth.net. 300 IN CNAME lgincdn.trafficmanager.net. trafficmanager.net. 172800 IN NS tm1.edgedns-tm.info. trafficmanager.net. 172800 IN NS tm2.edgedns-tm.info. trafficmanager.net. 172800 IN NS tm1.dns-tm.com. trafficmanager.net. 172800 IN NS tm2.dns-tm.com. lgincdn.trafficmanager.net. 30 IN CNAME lgincdnmsftuswe2.azureedge.net. azureedge.net. 172800 IN NS ns2prod.6893.azuredns-prd.info. azureedge.net. 172800 IN NS ns1prod.6893.azuredns-prd.info. azureedge.net. 172800 IN NS ns2prod.6893.azuredns-prd.org. azureedge.net. 172800 IN NS ns1prod.6893.azuredns-prd.org. lgincdnmsftuswe2.azureedge.net. 1800 IN CNAME lgincdnmsftuswe2.afd.azureedge.net. afd.azureedge.net. 3600 IN NS ns3-04.azure-dns.org. afd.azureedge.net. 3600 IN NS ns2-04.azure-dns.net. afd.azureedge.net. 3600 IN NS ns4-04.azure-dns.info. afd.azureedge.net. 3600 IN NS ns1-04.azure-dns.com. lgincdnmsftuswe2.afd.azureedge.net. 30 IN CNAME star-azureedge-prod.trafficmanager.net. star-azureedge-prod.trafficmanager.net. 30 IN CNAME dual.t-0009.t-msedge.net. t-msedge.net. 172800 IN NS ns1.t-msedge.net. t-msedge.net. 172800 IN NS ns2.t-msedge.net. dual.t-0009.t-msedge.net. 240 IN CNAME t-0009.t-msedge.net. t-0009.t-msedge.net. 60 IN CNAME Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. t-0009.t-msedge.net. 60 IN CNAME Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. Edge-Prod-WSTr3.ctrl.t-0009.t-msedge.net. 240 IN CNAME edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. edge-prod-wstr3.ctrl.t-0001.trafficmanager.net. 0 IN CNAME standard.t-0009.t-msedge.net. standard.t-0009.t-msedge.net. 240 IN A 13.107.246.19 standard.t-0009.t-msedge.net. 240 IN A 13.107.213.19
Files
Related issues
Updated by 
Updated by
Actions