Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hickory-dns responds to dig A doesnotexist.fqdn.com. with NOERROR instead of with NXDOMAIN #2192

Open
japaric opened this issue Apr 23, 2024 · 2 comments
Open

hickory-dns responds to dig A doesnotexist.fqdn.com. with NOERROR instead of with NXDOMAIN #2192

japaric opened this issue Apr 23, 2024 · 2 comments

Comments

@japaric
Copy link

japaric commented Apr 23, 2024
edited

Describe the bug
What the title says

To Reproduce

  1. Set up a local nameserver network with the following records (NOTE I used nsd 4.6.1 for all the nameservers)

dns

  1. set up hickory-dns as a resolver with root hint set to primary2.nameservers.com. (which has the . SOA record)

NOTE: hickory-dns was built with the recursor feature enabled

  • /etc.named.toml
[[zones]]
zone = "."
zone_type = "Hint"
stores = { type = "recursor", roots = "/etc/root.hints" }
enable_dnssec = false
  • /etc/root.hints
.	86400	NS	primary2.nameservers.com.
primary2.nameservers.com.	86400	A	192.168.112.4
  1. send the query dig A doesnotexist.nameservers.com. to hickory-dns
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.112.5 A doesnotexist.nameservers.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6072
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;doesnotexist.nameservers.com.	IN	A

;; Query time: 6 msec
;; SERVER: 192.168.112.5#53(192.168.112.5) (UDP)
;; WHEN: Tue Apr 23 14:00:32 UTC 2024
;; MSG SIZE  rcvd: 57

Expected behavior

I don't know if the RFCs leave this scenario unspecified but both BIND (named) and unbound return NXDOMAIN.

  • named
`dig` output 
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.176.6 A doesnotexist.nameservers.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49582
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a016252a98546c4a010000006627c3ce6c2277687fe9a98d (good)
;; QUESTION SECTION:
;doesnotexist.nameservers.com.	IN	A

;; AUTHORITY SECTION:
nameservers.com.	10800	IN	SOA	primary2.nameservers.com. admin2.nameservers.com. 2024010101 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.176.6#53(192.168.176.6) (UDP)
;; WHEN: Tue Apr 23 14:21:02 UTC 2024
;; MSG SIZE  rcvd: 137
  • unbound
`dig` output 
; <<>> DiG 9.18.24-1-Debian <<>> @192.168.160.6 A doesnotexist.nameservers.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;doesnotexist.nameservers.com.	IN	A

;; AUTHORITY SECTION:
nameservers.com.	3600	IN	SOA	primary2.nameservers.com. admin2.nameservers.com. 2024010101 1800 900 604800 86400

;; Query time: 10 msec
;; SERVER: 192.168.160.6#53(192.168.160.6) (UDP)
;; WHEN: Tue Apr 23 14:17:37 UTC 2024
;; MSG SIZE  rcvd: 109

System:

  • OS: Debian (Linux)
  • Architecture: x86_64
  • Version rust:1-slim-bookworm (Docker image)
  • rustc version: 1.77.2

Version:
Crate: hickory-dns
Version: 6334a01

Additional context
A test version of these repro steps can be found in the dnssec-tests repo

This might be related to #2099 but in this case there are no CNAMEs or wildcards

EDIT1: noted which Cargo features were enabled
EDIT2: remove _cache_size options from named.toml since they are optional settings
EDIT3: clarify that the linux distribution is Debian
@bluejekyll
Copy link
Member

There's an interesting case where it's NXDOMAIN if there are no other records at that name, but if there are any, then it's supposed to be NOERROR and no record to indicate other records besides the one queried do exist at that name.

using CLI resolver from our library, I'm getting an A record at that name:

>  resolve doesnotexist.nameservers.com 
Querying for doesnotexist.nameservers.com A from udp:8.8.8.8:53, tcp:8.8.8.8:53, udp:8.8.4.4:53, tcp:8.8.4.4:53, udp:[2001:4860:4860::8888]:53, tcp:[2001:4860:4860::8888]:53, udp:[2001:4860:4860::8844]:53, tcp:[2001:4860:4860::8844]:53
Success for query doesnotexist.nameservers.com IN A
        doesnotexist.nameservers.com. 7200 IN A 208.91.197.132

Maybe this was changed after your test?

@japaric
Copy link
Author

japaric commented May 7, 2024

using CLI resolver from our library, I'm getting an A record at that name:

that's because that CLI resolver has internet access and access to the public DNS network. I guess something similar if I run dig @1.1.1.1 A doesnotexist.nameservers.com (note the public DNS resolver 1.1.1.1)

In contrast to that, all the nodes in the test are in a private, local network with no internet access so they never contact root servers like a.root-servers.net. the name servers in the tests do not contain a doesnotexist.nameservers.com A record; nor wildcard records that would match the A doesnotexist.nameservers.com query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bluejekyll @japaric