Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 04 Oct 2017 20:39:48 +0000
From: Srinivasa Raghavan <raghav135@...il.com>
To: musl@...ts.openwall.com
Subject: Re: DNS resolution happenning only after timeout

Hi Rich,
Thanks for your time and reply.
Will try to get the dns fixed.
Kind Regards,
R. Srinivasa Raghavan.


On Thu, 5 Oct 2017 at 1:49 AM, Rich Felker <dalias@...c.org> wrote:

> On Wed, Oct 04, 2017 at 07:28:35PM +0000, Srinivasa Raghavan wrote:
> > Hi Markus,
> >
> > Thanks for the reply.
> >
> > The problem is not only in nslookup, it is there in ping, tracert, curl,
> > node.js, wget etc. :(
> >
> > I will debug and find the exact c api that is used for each of the
> > scenarios.
> >
> > I am just wondering if there is any workaround ?
> >
> > Lot of folks are facing this issue (slow dns name resolution in alpine
> > linux, with some dns servers) , and this may be the root cause?
>
> musl does not have any way to suppress applications' requests for IPv6
> lookups. In theory if an application used the AI_ADDRCONF option to
> request "only give IPv6 results if IPv6 is supported" we could do it,
> but there are multiple reasons this hasn't been implemented including
> ambiguity as to how exactly it should behave, and I doubt it would
> help anyway since most applications don't use this option.
>
> From the info you've provided so far, my best guess is that you have a
> buggy nameserver that either stalls or replies with a non-conclusive
> message like ServFail when it receives an AAAA query. If this is the
> case, there are a few possible fixes or workarounds you could try:
>
> 1. If the nameserver is on a device under your control, see if there's
>    an upgrade/patch to fix the issue.
>
> 2. Switch to a different nameserver without the bug like the public
>    Google ones at 8.8.8.8 etc.
>
> 3. Run your own caching/proxy nameserver on localhost and configure it
>    to reply NxDomain (does not exist) for all AAAA lookups.
>
> 4. Use iptables to catch DNS query packets for AAAA records and
>    redirect them to a dummy server that just always replies with
>    NxDomain.
>
> Without knowing more about your environment I can't really guess which
> ones of these options, if any, might be practical for you but
> hopefully at least one is.
>
> Rich
>
>
>
> > On Wed, 4 Oct 2017 at 10:16 PM, Markus Wichmann <nullplan@....net>
> wrote:
> >
> > > On Wed, Oct 04, 2017 at 07:18:10PM +0530, Srinivasa Raghavan wrote:
> > > > Hi Rich,
> > > >
> > > > Thanks for the reply.
> > > >
> > > > Some updates:
> > > > 1. Our DNS server is "Infoblox appliance".
> > > > 2. When we had a delay, we found that there was a "AAAA" query along
> with
> > > > "A" query.
> > > >
> > > > I did further debugging with "tcpdump" and able to narrow down on the
> > > > difference in behavior between "debian" and "alpine" images.
> > > >
> > > > In debian:
> > > > If ipv6 is disabled (net.ipv6.conf.default.disable_ipv6 = 1)
> > > > Then the "nslookup" (or name resolution) does *not* do a "AAAA" query
> > > >
> > >
> > > That's probably because glibc's DNS resolver only generates AAAA
> queries
> > > if it can create an IPv6 socket.
> > >
> > > > In alpine:
> > > > If ipv6 is disabled (net.ipv6.conf.default.disable_ipv6 = 1)
> > > > Then the "nslookup" (or name resolution) does an "AAAA" query along
> with
> > > > "A" query
> > > >
> > > > Is this intentional?
> > > >
> > > > Also, I was wondering if there was any way to disable AAAA query in
> name
> > > > resolution?
> > > >
> > >
> > > There does not appear to be a way without changing code. In musl, the
> > > function name_from_dns() will always generate both the AAAA and the A
> > > query unless "family" is explicitly set to one of the address families.
> > > No input from resolv.conf or similar is used for this. And "family"
> > > comes directly from the caller, i.e. nslookup. You'd have to change the
> > > nslookup code to only ask for IPv4 addresses.
> > >
> > > > Kind Regards,
> > > > Srinivasa Raghavan.
> > >
> > > Ciao,
> > > Markus
> > >
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ