Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trust-dns quic client can not querry trust-dns quic server #2015

Open
Tracked by #13
LuckyTurtleDev opened this issue Sep 3, 2023 · 11 comments
Open
Tracked by #13

trust-dns quic client can not querry trust-dns quic server #2015

LuckyTurtleDev opened this issue Sep 3, 2023 · 11 comments
Labels
bug feature:dns-over-quic

Comments

@LuckyTurtleDev
Copy link

LuckyTurtleDev commented Sep 3, 2023
edited

Describe the bug
I have notify some strange behavior if I am hosting tls and quic dns server using the server crate.
Dependent on the client some protocols do not work.

tls quic
kdig not works works
crab-hole works not works
android works unsupported

kdig is a dig clone with quic, tls, https support.
carb-hole is a pi-hole clone using trust dns (trust_dns_server::store::forwarder).

Debug output of client crab-hole instance trying to querry server crab-hole via quic (kdig --udp--> carb-hole(client) --quic-⚡-> carb-hole(server) --tls-> cloudflare).

crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG crab_hole            > LowerQuery { name: LowerName(Name("example.com.")), original: Query { name: Name("example.com."), query_type: A, query_class: IN } }
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > No cached session for DnsName(DnsName(DnsName("dns.luckyturtle.dev")))
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > Not resuming any session
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > No cached session for DnsName(DnsName(DnsName("dns.luckyturtle.dev")))
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > Not resuming any session
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > No cached session for DnsName(DnsName(DnsName("dns.luckyturtle.dev")))
crab-hole-crab-hole-1  | 2023-09-02T13:16:57Z  ⚙️ DEBUG rustls::client::hs   > Not resuming any session

crab-hole server log (quic):

crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG rustls::server::hs                                > decided upon suite TLS13_AES_256_GCM_SHA384
crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG quinn_proto::endpoint                             > handshake failed: the cryptographic handshake failed: error 120: peer doesn't support any known protocol
crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG rustls::server::hs                                > decided upon suite TLS13_AES_256_GCM_SHA384
crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG quinn_proto::endpoint                             > handshake failed: the cryptographic handshake failed: error 120: peer doesn't support any known protocol
crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG rustls::server::hs                                > decided upon suite TLS13_AES_256_GCM_SHA384
crab-hole_1  | 2023-09-03T14:18:35Z  ⚙️ DEBUG quinn_proto::endpoint                             > handshake failed: the cryptographic handshake failed: error 120: peer doesn't support any known protocol

kdig logs (issue of kdig see #2015 (comment) )

output of kdig using tls (kdig --tls-⚡-> carb-hole(server) --tls-> cloudflare)

❯ kdig +tls example.com @dns.luckyturtle.dev:8853
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; WARNING: TLS, handshake failed (The specified session has been invalidated for some reason.)
;; ERROR: failed to query server dns.luckyturtle.dev@8853(TCP)

carb-hole sever log if using kdig via tls:

crab-hole_1  | 2023-09-03T14:21:34Z  ⚙️ DEBUG trust_dns_server::server::server_future           > starting TLS request from: [SOME_IP]:57222
crab-hole_1  | 2023-09-03T14:21:34Z  ⚙️ DEBUG rustls::server::hs                                > decided upon suite TLS13_AES_256_GCM_SHA384
crab-hole_1  | 2023-09-03T14:21:34Z  ⚙️ DEBUG trust_dns_server::server::server_future           > tls handshake src: [SOME_IP]:57222 error: peer doesn't support any known protocol
crab-hole_1  | 2023-09-03T14:21:35Z  ⚙️ DEBUG trust_dns_server::server::server_future           > starting TLS request from: [SOME_IP]:15417
crab-hole_1  | 2023-09-03T14:21:35Z  ⚙️ DEBUG trust_dns_server::server::server_future           > tls handshake src: [SOME_IP]:15417 error: tls handshake eof

To Reproduce

client crab-hole:

version: '3.3'
services:
    crab-hole:
        image: 'ghcr.io/luckyturtledev/crab-hole:v0.1'
        ports:
            - "8053:8053/udp"
        environment:
            - RUST_LOG=debug
        volumes:
            - './config.toml:/data/config.toml:ro'

client config

[blocklist]
include_subdomains = true
lists = []

[[downstream]]
protocol = "udp"
listen = "[::]"
port = 8053

[[upstream.name_servers]]
socket_addr = "185.163.118.254:853"
protocol = "quic"
tls_dns_name = "dns.luckyturtle.dev"

server crab-hole docker-compose

version: '3.3'
services:
    crab-hole:
        image: 'ghcr.io/luckyturtledev/crab-hole:v0.1'
        ports:
            - "127.0.0.1:8080:80/tcp"
            - "853:853/udp"
            - "8853:853/tcp"
        environment:
            - RUST_LOG=debug
        volumes:
            - './data:/data'
            - './config.toml:/data/config.toml:ro'
            - "dns.luckyturtle.dev:/cert:ro"

server crab-hole config

[blocklist]
include_subdomains = true
lists = [
	"https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts",
	"https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"
]

[api]
port = 80
listen = "[::]"
show_doc = false

[[downstream]]
protocol = "quic"
listen = "[::]"
port = 853
certificate = "/cert/dns.luckyturtle.dev.crt"
key = "/cert/dns.luckyturtle.dev.key"
dns_hostname = "dns.luckyturtle.dev"

[[downstream]]
protocol = "tls"
listen = "[::]"
port = 853
certificate = "/cert/dns.luckyturtle.dev.crt"
key = "/cert/dns.luckyturtle.dev.key"

[[upstream.name_servers]]
socket_addr = "[2606:4700:4700::1111]:853"
protocol = "tls"
tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com"
trust_nx_responses = false

[[upstream.name_servers]]
socket_addr = "[2606:4700:4700::1001]:853"
protocol = "tls"
tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com"
trust_nx_responses = false

[[upstream.name_servers]]
socket_addr = "1.1.1.1:853"
protocol = "tls"
tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com"
trust_nx_responses = false

[[upstream.name_servers]]
socket_addr = "1.0.0.1:853"
protocol = "tls"
tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com"
trust_nx_responses = false

Expected behavior
successful request

System:

  • OS-Client: arch linux
  • OS-Server: Debian 5.10.162-1
  • Architecture-Client: x86_64
  • Architecture-Server: x86_64
  • rustc version: 1.72.0

Version:
Crate: server
Version: 0.23.0
@djc
Copy link
Collaborator

djc commented Sep 4, 2023

Looks like you're not setting the ALPN protocol correctly for TLS/QUIC implementations.

@LuckyTurtleDev
Copy link
Author

LuckyTurtleDev commented Sep 4, 2023
edited

@djc is calling register_tls_listener and register_quic_listener not enough?
Why do i need to configure ALPN manual after binding and register an tls port?

I have not found anything at the doc of trust-dns-server about ALPN.

@djc
Copy link
Collaborator

djc commented Sep 4, 2023

According to your logs, the server is saying that the client didn't set any protocols it understands.

@LuckyTurtleDev
Copy link
Author

So the kdig seems to use the wrong ALPN. So I should report this kdig instead.

But trust-dns should be able to querry trust-dns via quic.

@bluejekyll
Copy link
Member

trust-dns should be working when communicating with it's libraries to the server. We have test coverage for this in https://github.com/bluejekyll/trust-dns/blob/main/bin/tests/named_quic_tests.rs. Is the certificate not being validated correctly?

@bluejekyll
Copy link
Member

ALPN on the Client is set here: https://github.com/bluejekyll/trust-dns/blob/202fe2a8a4cade9df2789ae52fee2ce91749a1a7/crates/proto/src/quic/quic_client_stream.rs#L240-L247

I don't think the ALPN is configurable on the server right now, that is set here: https://github.com/bluejekyll/trust-dns/blob/202fe2a8a4cade9df2789ae52fee2ce91749a1a7/crates/proto/src/quic/quic_server.rs#L51

The ALPN for quic is defined here: https://github.com/bluejekyll/trust-dns/blob/202fe2a8a4cade9df2789ae52fee2ce91749a1a7/crates/proto/src/quic/quic_stream.rs#L24

@LuckyTurtleDev
Copy link
Author

Is the certificate not being validated correctly?

At least kdig have no issue with it. I am currently not sure what I can do. Quic is currently not widely used, which make it difficult to test it, witch other clients/servers.

@LuckyTurtleDev LuckyTurtleDev changed the title tls and quic server works only partly trust-dns quic client can not querry rust-dns quic server Sep 6, 2023
@djc
Copy link
Collaborator

djc commented Sep 6, 2023

See also #1990?

@bluejekyll bluejekyll mentioned this issue Sep 6, 2023
Closed
@bluejekyll bluejekyll added the bug label Sep 6, 2023
@bluejekyll
Copy link
Member

bluejekyll commented Sep 6, 2023
edited

@LuckyTurtleDev, do you think you could try this with the current main line branch after this change was put in, #2005?

@LuckyTurtleDev
Copy link
Author

I will try out this tomorrow.

@bluejekyll bluejekyll changed the title trust-dns quic client can not querry rust-dns quic server trust-dns quic client can not querry trust-dns quic server Sep 7, 2023
@bluejekyll
Copy link
Member

Actually, you might want to wait, see this comment, I'm not sure it's the root cause of this issue, but it could be related: #1990 (comment)

@LuckyTurtleDev LuckyTurtleDev mentioned this issue Oct 29, 2023
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature:dns-over-quic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djc @bluejekyll @LuckyTurtleDev