Bug #4166: filterdns generates floods of DNS requests when there are significant jumps in system time - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #4166

closed

filterdns generates floods of DNS requests when there are significant jumps in system time

Added by Chris Buechler over 9 years ago. Updated about 8 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Luiz Souza

Category:

Rules / NAT

Target version:

2.3

Start date:

12/31/2014

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

Description

When you have FQDNs in aliases, and the system clock jumps significantly (talking years), it creates a flood of DNS requests for all the hostnames being monitored. For instance on systems with a dead (or no) CMOS battery after losing power, the system boots at some "Jan 1" date years in the past. Then when NTP syncs during boot, it jumps years forward to current time. It creates enough states to max out the state table seemingly regardless of its size if the jump in time is large enough.

It is possible to replicate by manually setting a system date back years in the past, restarting filterdns, setting the date back to current time, then waiting a few minutes.

History
Notes
Property changes

Actions

Copy link

Updated by Bipin Chandra over 9 years ago

i guess the easy way to fix this would be to handle the $resolve_interval properly such that if the time difference is way too high then to ignore creating so many entries but just run once.

i would appreciate if some1 looked into this as its turning out to be a nuisance as on an alix even after like 30 mins the system wont goto normal.

Actions

Copy link

Updated by Bipin Chandra over 9 years ago

line 405 in filter.inc is what i suspect to be the issue (maybe) because when filterdns is initially run with a time in past, it sets the resolve interval to a default 300 and later when the time jumps it makes filterdns resolve that many times (time difference/300= times) and that would be creating the flood.

Actions

Copy link

Updated by Chris Buechler about 9 years ago

Target version changed from 2.2.1 to 2.2.2

Actions

Copy link

Updated by Chris Buechler about 9 years ago

Target version changed from 2.2.2 to 2.2.3

Actions

Copy link

Updated by Chris Buechler almost 9 years ago

Target version changed from 2.2.3 to 2.3

Actions

Copy link

Updated by Jim Thompson over 8 years ago

The solution is likely to do something like this (moving the "collect the current time" part inside the loop)

The way the code is structured now, it will always add "interval + (interval % 30)" to the last time used.

There are 31,536,000 seconds in a year. If the default interval in pfSense is 300 seconds, then we will chew through these 31,536,000 seconds "300 at a time".
This will result in 105,120 calls to host_dns()

The below will add "interval + (interval % 30)" to the >current< time. This way, if the clock advances (potentially by several years) we will be called once (because the thread will wake out of the cold_timed_wait()), and then we will go back to sleep for interval + (interval % 30) seconds.


void *
check_hostname(void *arg)
{
    struct thread_data *thrd = arg;
    struct timespec    ts;
    struct timespec    timeToWait;
    struct sockaddr_in in;
    struct sockaddr_in6 in6;
    int forceUpdate, added, error;

    if (!thrd->hostname)
        return (NULL);

    if (debug >= 2)
        syslog(LOG_WARNING, "Found hostname %s with netmask %d.", thrd->hostname, thrd->mask);

    if (thrd->type == PF_TYPE)
        get_present_table_entries(thrd);

    added = 0;
    forceUpdate = 0;
    pthread_mutex_lock(&thrd->mtx);

    for (;;) {
        gettimeofday(&ts, NULL);
        timeToWait.tv_sec = ts.tv_sec += interval;
        timeToWait.tv_sec += (interval % 30);
        timeToWait.tv_nsec = 0UL;

        if (dev < 0) {
            dev = open("/dev/pf", O_RDWR);
            if (dev < 0)
                syslog(LOG_ERR, "firewall device could not be opened for operation...skipping this time");
        }
        if (dev > 0) {
            pthread_rwlock_rdlock(&main_lock);

            if (thrd->exit == 1) {
                pthread_rwlock_unlock(&main_lock);
                break;
            } else if (thrd->exit == 2) {
                forceUpdate = 1;
                added = 0;
                thrd->exit = 0;
            }
            /* Detect if an ip address was passed in */
            if (added == 0 && inet_pton(AF_INET, thrd->hostname, &in.sin_addr) == 1) {
                added = 1;
                in.sin_family = AF_INET;
                in.sin_len = sizeof(in);
                error = add_table_entry(thrd, (struct sockaddr *)&in, 1);
            } else if (added == 0 && is_ipaddrv6(thrd->hostname, &in6) == 1) {
                error = add_table_entry(thrd, (struct sockaddr *)&in6, 1);
                added = 1;
            } else if (added == 0) {
                error = host_dns(thrd, forceUpdate);
            }
            if (error == EAGAIN) {
                /*
                 * Need to retry again due to some issue with
                 * table handling
                 */
                forceUpdate = 1;
            } else
                forceUpdate = 0;
            pthread_rwlock_unlock(&main_lock);
        }
        /* Hack for sleeping a thread */
        pthread_cond_timedwait(&thrd->cond, &thrd->mtx, &timeToWait);
        if (debug >= 6)
            syslog(LOG_WARNING, "\tAwaking from the sleep for hostname %s, table %s", thrd->hostname, TABLENAME(thrd->tablename));
    }
    pthread_mutex_unlock(&thrd->mtx);

    if (debug >= 4)
        syslog(LOG_ERR, "Cleaning up hostname %s", thrd->hostname);
    pthread_mutex_destroy(&thrd->mtx);
    pthread_cond_destroy(&thrd->cond);
    clear_hostname_addresses(thrd);
    if (thrd->hostname != NULL)
        free(thrd->hostname);
    if (thrd->tablename != NULL)
        free(thrd->tablename);
    if (thrd->cmd != NULL)
        free(thrd->cmd);
    free(thrd);

    return (NULL);
}

Actions

Copy link