Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate DNSSEC queries from normal queries in the cache #322

Merged
merged 2 commits into from
Aug 23, 2023
Merged

Separate DNSSEC queries from normal queries in the cache #322

merged 2 commits into from
Aug 23, 2023

Conversation

folbricht
Copy link
Owner

Fixes #320 by including the Do flag in the cache-key.

@alpominth
Copy link

Let's test:

Config (it's a copy of my local config, I didn't have time to write one from scratch):

[bootstrap-resolver]
address = "https://1.1.1.1/dns-query"
protocol = "doh"
transport = "tcp"
query-timeout = 60

[resolvers.res]
address = "https://dns10.quad9.net/dns-query"
protocol = "doh"
transport = "tcp"
query-timeout = 10

[groups.ttlm]
type = "ttl-modifier"
resolvers = ["res"]
ttl-min = 2592000
ttl-max = 2592000

[groups.cached]
type = "cache"
resolvers = ["ttlm"]
cache-size = 1048576
cache-negative-ttl = 259200
cache-rcode-max-ttl = { 3 = 259200, 5 = 0, 2 = 0 } # NXDOMAIN, REFUSED and SERVFAIL
cache-prefetch-trigger = 2570400

[listeners.local-udp-ipv4]
address = "127.0.0.1:1053"
protocol = "udp"
resolver = "cached"

========================================================

Test 1:

RouteDNS log:

$ ./routedns -l 6 ./blah.toml 
INFO[0000] starting listener                             addr="127.0.0.1:1053" id=local-udp-ipv4 protocol=udp
DEBU[0021] received query                                addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com.
TRAC[0021] forwarding query to resolver                  addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com. resolver=cached
DEBU[0021] cache-miss, forwarding                        client=127.0.0.1 id=cached qname=cloudflare.com. qtype=A resolver=ttlm
DEBU[0021] querying upstream resolver                    client=127.0.0.1 id=res method=POST protocol=doh qname=cloudflare.com. qtype=A resolver="https://dns10.quad9.net:443/dns-query"
DEBU[0021] querying upstream resolver                    client=127.0.0.1 id=bootstrap-resolver method=POST protocol=doh qname=dns10.quad9.net. qtype=AAAA resolver="https://1.1.1.1:443/dns-query"
DEBU[0021] querying upstream resolver                    client=127.0.0.1 id=bootstrap-resolver method=POST protocol=doh qname=dns10.quad9.net. qtype=A resolver="https://1.1.1.1:443/dns-query"
DEBU[0022] modified response ttl                         client=127.0.0.1 id=ttlm qname=cloudflare.com. qtype=A
DEBU[0026] received query                                addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com.
TRAC[0026] forwarding query to resolver                  addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com. resolver=cached
DEBU[0026] cache-miss, forwarding                        client=127.0.0.1 id=cached qname=cloudflare.com. qtype=A resolver=ttlm
DEBU[0026] querying upstream resolver                    client=127.0.0.1 id=res method=POST protocol=doh qname=cloudflare.com. qtype=A resolver="https://dns10.quad9.net:443/dns-query"
DEBU[0026] modified response ttl                         client=127.0.0.1 id=ttlm qname=cloudflare.com. qtype=A
TRAC[0060] cache garbage collection                      removed=0 total=2
TRAC[0120] cache garbage collection                      removed=0 total=2

Dig:

$ dig @127.0.0.1 -p 1053 +dnssec cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 +dnssec cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15086
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.133.229
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	RRSIG	A 13 2 300 20230821213152 20230819193152 34505 cloudflare.com. o0T297s7fxt7yu3jVp6TN2jT53XUmfIysaH1EgFsMZ+UDtmoy1+aqN5/ FUjALRahOm+1uZn7cSNzRcljnRcKtw==

;; Query time: 425 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Sun Aug 20 16:35:20 EDT 2023
;; MSG SIZE  rcvd: 227
$ dig @127.0.0.1 -p 1053 cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50022
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	A	104.16.133.229

;; Query time: 18 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Sun Aug 20 16:35:24 EDT 2023
;; MSG SIZE  rcvd: 103

=======================================================

Test 2:

RouteDNS log:

$ ./routedns -l 6 ./blah.toml 
INFO[0000] starting listener                             addr="127.0.0.1:1053" id=local-udp-ipv4 protocol=udp
DEBU[0009] received query                                addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com.
TRAC[0009] forwarding query to resolver                  addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com. resolver=cached
DEBU[0009] cache-miss, forwarding                        client=127.0.0.1 id=cached qname=cloudflare.com. qtype=A resolver=ttlm
DEBU[0009] querying upstream resolver                    client=127.0.0.1 id=res method=POST protocol=doh qname=cloudflare.com. qtype=A resolver="https://dns10.quad9.net:443/dns-query"
DEBU[0009] querying upstream resolver                    client=127.0.0.1 id=bootstrap-resolver method=POST protocol=doh qname=dns10.quad9.net. qtype=AAAA resolver="https://1.1.1.1:443/dns-query"
DEBU[0009] querying upstream resolver                    client=127.0.0.1 id=bootstrap-resolver method=POST protocol=doh qname=dns10.quad9.net. qtype=A resolver="https://1.1.1.1:443/dns-query"
DEBU[0009] modified response ttl                         client=127.0.0.1 id=ttlm qname=cloudflare.com. qtype=A
DEBU[0016] received query                                addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com.
TRAC[0016] forwarding query to resolver                  addr="127.0.0.1:1053" client=127.0.0.1 id=local-udp-ipv4 protocol=udp qname=cloudflare.com. resolver=cached
DEBU[0016] cache-miss, forwarding                        client=127.0.0.1 id=cached qname=cloudflare.com. qtype=A resolver=ttlm
DEBU[0016] querying upstream resolver                    client=127.0.0.1 id=res method=POST protocol=doh qname=cloudflare.com. qtype=A resolver="https://dns10.quad9.net:443/dns-query"
DEBU[0016] modified response ttl                         client=127.0.0.1 id=ttlm qname=cloudflare.com. qtype=A

Dig:

$ dig @127.0.0.1 -p 1053 cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22989
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	A	104.16.133.229

;; Query time: 227 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Sun Aug 20 16:40:03 EDT 2023
;; MSG SIZE  rcvd: 103

$ dig @127.0.0.1 -p 1053 +dnssec cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 +dnssec cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	A	104.16.133.229
cloudflare.com.		2592000	IN	RRSIG	A 13 2 300 20230821214014 20230819194014 34505 cloudflare.com. yBTYiSiU8/Fu/KjeJrCBZj2joeLoJEHoa3ALliPpEdJJOL929cZaBovx yJXAFY2e+fBSrfq4EYsGjyz35m4cpw==

;; Query time: 24 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Sun Aug 20 16:40:09 EDT 2023
;; MSG SIZE  rcvd: 227

==================================================

Result: Everything is OK.

It's ready to merge.

@alpominth alpominth mentioned this pull request Aug 20, 2023
Closed
@alpominth
Copy link

@folbricht

I found a problem: This branches fixes the problem only with RAM backend, with Redis cache, RouteDNS continues to not differentiate TSIG and non-TSIG queries:

Config:

[bootstrap-resolver]
address = "https://1.1.1.1/dns-query"
protocol = "doh"
transport = "tcp"
query-timeout = 60

[resolvers.res]
address = "https://dns10.quad9.net/dns-query"
protocol = "doh"
transport = "tcp"
query-timeout = 10

[groups.ttlm]
type = "ttl-modifier"
resolvers = ["res"]
ttl-min = 2592000
ttl-max = 2592000

[groups.cached]
type = "cache"
resolvers = ["ttlm"]
cache-size = 1048576
cache-negative-ttl = 259200
cache-rcode-max-ttl = { 3 = 259200, 5 = 0, 2 = 0 } # NXDOMAIN, REFUSED and SERVFAIL
cache-prefetch-trigger = 2570400
backend = {type = "redis", redis-address = "127.0.0.1:6379", redis-username="foo", redis-password="bar", redis-network="tcp", redis-db=0, redis-key-prefix="routedns-", redis-max-retries=10, redis-min-retry-backoff=3, redis-max-retry-backoff=3}

[listeners.local-udp-ipv4]
address = "127.0.0.1:1053"
protocol = "udp"
resolver = "cached"

Result:

# dig @127.0.0.1 -p 1053 cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47832
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	A	104.16.133.229

;; Query time: 463 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Mon Aug 21 20:20:24 EDT 2023
;; MSG SIZE  rcvd: 103

# dig @127.0.0.1 -p 1053 +dnssec cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> @127.0.0.1 -p 1053 +dnssec cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4540
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2591995	IN	A	104.16.132.229
cloudflare.com.		2591995	IN	A	104.16.133.229

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1) (UDP)
;; WHEN: Mon Aug 21 20:20:29 EDT 2023
;; MSG SIZE  rcvd: 103

@folbricht
Copy link
Owner Author

oh, nice catch. I totally missed that the keys for redis are generated differently. I just added a proposed fix to this branch (not tested at all). Would you be able to confirm if it works now.

Note that this will basically invalidate the current content of the redis cache so it'll be like it's an empty cache until things are populated again.

@alpominth
Copy link

It was not that easy to test in my "router", but I tested:

$ dig +dnssec cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> +dnssec cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12115
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.133.229
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	RRSIG	A 13 2 300 20230823145604 20230821125604 34505 cloudflare.com. zV/5Bg2A2By9uUmltBW9rLYT6RoHASHM5n5HfXz+8TFLEXXpA9RCH9Gv JvCX547kNSwg7OD8pfayq9soh9st8w==

;; Query time: 241 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Tue Aug 22 10:00:45 EDT 2023
;; MSG SIZE  rcvd: 227

$ dig cloudflare.com

; <<>> DiG 9.18.16-1-Debian <<>> cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44185
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A

;; ANSWER SECTION:
cloudflare.com.		2592000	IN	A	104.16.132.229
cloudflare.com.		2592000	IN	A	104.16.133.229

;; Query time: 241 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Tue Aug 22 10:00:56 EDT 2023
;; MSG SIZE  rcvd: 103

It's ready to merge.

@folbricht folbricht merged commit 430b532 into master Aug 23, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@charlieporth1 charlieporth1

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@folbricht @alpominth @charlieporth1