Project

General

Profile

Actions

Bug #3422

closed

Diagnostics > DNS lookup gives spurious results

Added by Brian Candler over 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
01/30/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

In the DNS lookup diagnostics page

Enter "psg.com" and you get:
147.28.0.62/32, nlns.globnix.net./32, rip.psg.com./32, psg.com./32, 2001:418:1::62/32, 147.28.0.39/32, 2001:418:1::39/32

(and yet psg.com has only one A record and one AAAA record; the other results are spurious)

Enter "www.sanog.org" and you get only
149.20.54.61

(and yet www.sanog.org has an AAAA record in addition to the A record; it's missing)

Expected behaviour: that it would return exactly the set of A and AAAA RRs matching the given query.


Files

Screen Shot 2014-02-06 at 09.57.05.png (61.8 KB) Screen Shot 2014-02-06 at 09.57.05.png Screenshot of psg.com lookup Brian Candler, 02/06/2014 03:55 AM
Actions #1

Updated by Chris Buechler over 11 years ago

  • Status changed from New to Feedback

can't replicate. What does the output of dig show for psg.com for you?

Actions #2

Updated by Brian Candler over 11 years ago

Here you go - plain dig, dig asking for A, dig asking for AAAA. Of course, what's of interest is what's in the "ANSWER" sections. Also, screenshot from pfsense.

[2.1-RELEASE][admin@fw1.example.net]/root(3): dig psg.com.

; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46843
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;psg.com.            IN    A

;; ANSWER SECTION:
psg.com.        3600    IN    A    147.28.0.62

;; AUTHORITY SECTION:
psg.com.        3600    IN    NS    psg.com.
psg.com.        3600    IN    NS    nlns.globnix.net.
psg.com.        3600    IN    NS    rip.psg.com.

;; ADDITIONAL SECTION:
psg.com.        3591    IN    AAAA    2001:418:1::62
rip.psg.com.        3591    IN    A    147.28.0.39
rip.psg.com.        3591    IN    AAAA    2001:418:1::39

;; Query time: 191 msec
;; SERVER: 212.159.6.9#53(212.159.6.9)
;; WHEN: Thu Feb  6 09:53:55 2014
;; MSG SIZE  rcvd: 175

[2.1-RELEASE][admin@fw1.example.net]/root(4): dig psg.com. a

; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com. a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;psg.com.            IN    A

;; ANSWER SECTION:
psg.com.        3600    IN    A    147.28.0.62

;; AUTHORITY SECTION:
psg.com.        3600    IN    NS    psg.com.
psg.com.        3600    IN    NS    nlns.globnix.net.
psg.com.        3600    IN    NS    rip.psg.com.

;; ADDITIONAL SECTION:
psg.com.        1227    IN    AAAA    2001:418:1::62
rip.psg.com.        1227    IN    A    147.28.0.39
rip.psg.com.        1227    IN    AAAA    2001:418:1::39

;; Query time: 194 msec
;; SERVER: 212.159.6.9#53(212.159.6.9)
;; WHEN: Thu Feb  6 09:53:57 2014
;; MSG SIZE  rcvd: 175

[2.1-RELEASE][admin@fw1.example.net]/root(5): dig psg.com. aaaa

; <<>> DiG 9.6.-ESV-R5-P1 <<>> psg.com. aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34384
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;psg.com.            IN    AAAA

;; ANSWER SECTION:
psg.com.        3593    IN    AAAA    2001:418:1::62

;; AUTHORITY SECTION:
psg.com.        3600    IN    NS    psg.com.
psg.com.        3600    IN    NS    nlns.globnix.net.
psg.com.        3600    IN    NS    rip.psg.com.

;; ADDITIONAL SECTION:
psg.com.        3580    IN    A    147.28.0.62
rip.psg.com.        3593    IN    A    147.28.0.39
rip.psg.com.        3593    IN    AAAA    2001:418:1::39

;; Query time: 38 msec
;; SERVER: 212.159.6.9#53(212.159.6.9)
;; WHEN: Thu Feb  6 09:53:59 2014
;; MSG SIZE  rcvd: 175
Actions #3

Updated by Brian Candler over 11 years ago

OK, so I have narrowed this down.

  • If I set System > General Setup > DNS Servers to just 8.8.8.8 or 8.8.4.4, it works (by which I mean I get only the A record not the AAAA record, but no junk)
  • If I set System > General Setup > DNS Servers to 10.19.1.1 - which is the firewall itself, running the unbound package as a caching nameserver - I get the junk.

The difference:

  • dig @10.19.1.1 psg.com includes the "authority" and "additional" sections
  • dig @8.8.8.8 psg.com does not include these

I can make the first behave like the second in this way:

# dig +noauthority +noadditional @10.19.1.1 psg.com

So, this patch seems to do the trick:

--- ../diag_dns.php.orig    2014-02-06 10:09:35.000000000 +0000
+++ diag_dns.php    2014-02-06 10:10:18.000000000 +0000
@@ -47,7 +47,7 @@
     $resolved = gethostbyname($host);
     if($resolved) {
         $host = trim($_POST['host']);
-        $dig=`dig "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`;
+        $dig=`dig +noauthority +noadditional "$host" A | grep "$host" | grep -v ";" | awk '{ print $5 }'`;
         $resolved = explode("\n", $dig);
         $isfirst = true;
         foreach($resolved as $re) {
@@ -104,7 +104,7 @@
         $resolvconf_servers = `grep nameserver /etc/resolv.conf | cut -f2 -d' '`;
         $dns_servers = explode("\n", trim($resolvconf_servers));
         foreach ($dns_servers as $dns_server) {
-            $query_time = `dig {$host_esc} @{$dns_server} | grep Query | cut -d':' -f2`;
+            $query_time = `dig +noauthority +noadditional {$host_esc} @{$dns_server} | grep Query | cut -d':' -f2`;
             if($query_time == "")
                 $query_time = gettext("No response");
             $new_qt = array();
@@ -130,7 +130,7 @@
             $type = "hostname";
             $resolved = gethostbyname($host);
             if($resolved) {
-                $dig=`dig $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`;
+                $dig=`dig +noauthority +noadditional $host_esc A | grep $host_esc | grep -v ";" | awk '{ print $5 }'`;
                 $resolved = explode("\n", $dig);
             }
             $hostname = $host;

I'm not sure that "dig $host_esc | grep $host|esc" is particularly good logic. It's quite possible that a hostname is delegated to a host which is a subdomain of itself or even to itself. In this case psg.com is delegated to psg.com and rip.psg.com (as well as nlns.globnix.net).

Anyway, that still leaves the question of whether it should include IPv6 (AAAA) records or not :-)

Regards,

Brian.

Actions #4

Updated by Brian Candler over 11 years ago

OK, this patch is irrelevant in the light of commit e2ffc9d which replaces dig with drill. AFAICS, drill doesn't have equivalent options to +noauthority / +noadditional, so I think some more parsing is required.

Actions #5

Updated by Chris Buechler almost 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF