Project

General

Profile

Actions
Copy link

Bug #14853

open

Missing response for AAAA or A queries for blacklisted domains in Python mode

Added by Andre Brait about 1 year ago. Updated 17 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

In Python mode, when a domain is blacklisted, the result gets cached in the dnsblDB dictionary for caching and faster retrieval in future requests.

If found there, the response is assembled from the stored data. Currently, that includes the IP address included in the response.

That works ok if the first query comes for an a given record type, and that one gets repeated, but it results in an empty response if the recorded IP address is incompatible with the expected response (e.g. the cached result for an A record will contain 10.10.10.1, but the current query is for an AAAA record, thus failing to respond with the proper AAAA address, or vice-versa if the AAAA record is queried first.

Steps to reproduce:

1. Switch to Python mode with DNSBL Blocking turned ON
2. Add a domain to the blacklist through the Feeds
3. Query the AAAA (or A) record for that domain. It should contain a valid IP address.
4. Query the A (or AAAA, if the first one was A) record for that domain
5. The last response will contain no IP address

In order to test it the other way around, just restart the DNS Resolver service or Update DNSBL again.

Example:

andre@Andre-PC MSYS ~
$ dig AAAA www.top-daily-profit.com

; <<>> DiG 9.17.15 <<>> AAAA www.top-daily-profit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35220
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;www.top-daily-profit.com.      IN      AAAA

;; ANSWER SECTION:
www.top-daily-profit.com. 60    IN      AAAA    ::10.10.10.1

;; Query time: 27 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Sat Oct 07 21:23:58 Romance Summer Time 2023
;; MSG SIZE  rcvd: 81

andre@Andre-PC MSYS ~
$ dig A www.top-daily-profit.com

; <<>> DiG 9.17.15 <<>> A www.top-daily-profit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9356
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;www.top-daily-profit.com.      IN      A

;; Query time: 11 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Sat Oct 07 21:24:02 Romance Summer Time 2023
;; MSG SIZE  rcvd: 53
Actions
Copy link
 #2

Updated by Chris Collins 17 days ago

Not sure if this is related, but I noticed some queries made to blocked domains on pfblockerng and I also have python mode enabled, the queries may return with servfail for AAAA. Instead there simply should be no result or an IPv6 listener for the VIP webserver.

Actions
Copy link
 #3

Updated by Chris Collins 17 days ago

Note it doesnt happen to all domains, when it does happen, it always happens for that domain and vice versa for when it doesnt happen, so its not a random condition, its consistent when it triggers, but there is no reasonable explanation for the behaviour.

Actions
Copy link

Also available in: Atom PDF