Bug #3422
closedDiagnostics > DNS lookup gives spurious results
0%
Description
In the DNS lookup diagnostics page
Enter "psg.com" and you get:
147.28.0.62/32, nlns.globnix.net./32, rip.psg.com./32, psg.com./32, 2001:418:1::62/32, 147.28.0.39/32, 2001:418:1::39/32
(and yet psg.com has only one A record and one AAAA record; the other results are spurious)
Enter "www.sanog.org" and you get only
149.20.54.61
(and yet www.sanog.org has an AAAA record in addition to the A record; it's missing)
Expected behaviour: that it would return exactly the set of A and AAAA RRs matching the given query.
Files
Updated by Chris Buechler over 11 years ago
- Status changed from New to Feedback
can't replicate. What does the output of dig show for psg.com for you?
Updated by Brian Candler over 11 years ago
Here you go - plain dig, dig asking for A, dig asking for AAAA. Of course, what's of interest is what's in the "ANSWER" sections. Also, screenshot from pfsense.
[2.1-RELEASE][admin@fw1.example.net]/root(3): dig psg.com. ; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46843 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;psg.com. IN A ;; ANSWER SECTION: psg.com. 3600 IN A 147.28.0.62 ;; AUTHORITY SECTION: psg.com. 3600 IN NS psg.com. psg.com. 3600 IN NS nlns.globnix.net. psg.com. 3600 IN NS rip.psg.com. ;; ADDITIONAL SECTION: psg.com. 3591 IN AAAA 2001:418:1::62 rip.psg.com. 3591 IN A 147.28.0.39 rip.psg.com. 3591 IN AAAA 2001:418:1::39 ;; Query time: 191 msec ;; SERVER: 212.159.6.9#53(212.159.6.9) ;; WHEN: Thu Feb 6 09:53:55 2014 ;; MSG SIZE rcvd: 175 [2.1-RELEASE][admin@fw1.example.net]/root(4): dig psg.com. a ; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com. a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;psg.com. IN A ;; ANSWER SECTION: psg.com. 3600 IN A 147.28.0.62 ;; AUTHORITY SECTION: psg.com. 3600 IN NS psg.com. psg.com. 3600 IN NS nlns.globnix.net. psg.com. 3600 IN NS rip.psg.com. ;; ADDITIONAL SECTION: psg.com. 1227 IN AAAA 2001:418:1::62 rip.psg.com. 1227 IN A 147.28.0.39 rip.psg.com. 1227 IN AAAA 2001:418:1::39 ;; Query time: 194 msec ;; SERVER: 212.159.6.9#53(212.159.6.9) ;; WHEN: Thu Feb 6 09:53:57 2014 ;; MSG SIZE rcvd: 175 [2.1-RELEASE][admin@fw1.example.net]/root(5): dig psg.com. aaaa ; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com. aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34384 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;psg.com. IN AAAA ;; ANSWER SECTION: psg.com. 3593 IN AAAA 2001:418:1::62 ;; AUTHORITY SECTION: psg.com. 3600 IN NS psg.com. psg.com. 3600 IN NS nlns.globnix.net. psg.com. 3600 IN NS rip.psg.com. ;; ADDITIONAL SECTION: psg.com. 3580 IN A 147.28.0.62 rip.psg.com. 3593 IN A 147.28.0.39 rip.psg.com. 3593 IN AAAA 2001:418:1::39 ;; Query time: 38 msec ;; SERVER: 212.159.6.9#53(212.159.6.9) ;; WHEN: Thu Feb 6 09:53:59 2014 ;; MSG SIZE rcvd: 175
Updated by Brian Candler over 11 years ago
OK, so I have narrowed this down.
- If I set System > General Setup > DNS Servers to just 8.8.8.8 or 8.8.4.4, it works (by which I mean I get only the A record not the AAAA record, but no junk)
- If I set System > General Setup > DNS Servers to 10.19.1.1 - which is the firewall itself, running the unbound package as a caching nameserver - I get the junk.
The difference:
- dig @10.19.1.1 psg.com includes the "authority" and "additional" sections
- dig @8.8.8.8 psg.com does not include these
I can make the first behave like the second in this way:
# dig +noauthority +noadditional @10.19.1.1 psg.com
So, this patch seems to do the trick:
--- ../diag_dns.php.orig 2014-02-06 10:09:35.000000000 +0000 +++ diag_dns.php 2014-02-06 10:10:18.000000000 +0000 @@ -47,7 +47,7 @@ $resolved = gethostbyname($host); if($resolved) { $host = trim($_POST['host']); - $dig=`dig "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`; + $dig=`dig +noauthority +noadditional "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`; $resolved = explode("\n", $dig); $isfirst = true; foreach($resolved as $re) { @@ -104,7 +104,7 @@ $resolvconf_servers = `grep nameserver /etc/resolv.conf | cut -f2 -d' '`; $dns_servers = explode("\n", trim($resolvconf_servers)); foreach ($dns_servers as $dns_server) { - $query_time = `dig {$host_esc} @{$dns_server} | grep Query | cut -d':' -f2`; + $query_time = `dig +noauthority +noadditional {$host_esc} @{$dns_server} | grep Query | cut -d':' -f2`; if($query_time == "") $query_time = gettext("No response"); $new_qt = array(); @@ -130,7 +130,7 @@ $type = "hostname"; $resolved = gethostbyname($host); if($resolved) { - $dig=`dig $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`; + $dig=`dig +noauthority +noadditional $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`; $resolved = explode("\n", $dig); } $hostname = $host;
I'm not sure that "dig $host_esc | grep $host|esc" is particularly good logic. It's quite possible that a hostname is delegated to a host which is a subdomain of itself or even to itself. In this case psg.com is delegated to psg.com and rip.psg.com (as well as nlns.globnix.net).
Anyway, that still leaves the question of whether it should include IPv6 (AAAA) records or not :-)
Regards,
Brian.
Updated by Brian Candler over 11 years ago
OK, this patch is irrelevant in the light of commit e2ffc9d which replaces dig with drill. AFAICS, drill doesn't have equivalent options to +noauthority / +noadditional, so I think some more parsing is required.
Updated by Chris Buechler almost 11 years ago
- Status changed from Feedback to Resolved