[DNS] RFH: Something is answering DNS PTR queries with UDP and not EDNS
Hello, I'm new to this list and relatively new to OpenStack, so please be patient with me. Our infrastructure provider is hosting OpenStack for us and I observed the following irritating behavior: If my Linux VM does a reverse-IP-lookup (PTR) something™ seems to intercept those PTR queries on their way from the VM to the *configured* DNS server and answers them itself, returning the name of the VM inside some pre-configured domain:
# dig +nocmd +nocomments +nostats +noedns -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 3600 IN PTR jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech.
# getent hosts 10.201.0.211 10.201.0.211 jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech
# python3 -c 'import DNS;req=DNS.DnsRequest("211.0.201.10.in-addr.arpa.",qtype="PTR",server=["10.201.0.211"], protocol="udp");res=req.req();print(res.answers[0]["data"])' jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=False;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=False);print(list(a))' [<DNS IN PTR rdata: jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech.>]
This only happens when UDP is used an EDNS is disabled: As soon as I use TCP or force EDNS my queries arrives at the configured DNS server and I get back the expected answer:
# dig +nocmd +nocomments +nostats +edns -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# dig +nocmd +nocomments +nostats +edns +tcp -p 53 -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# dig +nocmd +nocomments +nostats +noedns +tcp -p 53 -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# python3 -c 'import DNS;req=DNS.DnsRequest("211.0.201.10.in-addr.arpa.",qtype="PTR",server=["10.201.0.211"], protocol="tcp");res=req.req();print(res.answers[0]["data"])' master096.autotest096.test
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=False;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=True);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=True;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=True);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=True;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=False);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
I already talked to out provider and spend multiple hours searching the internet or even having a look at the source code of Neutron myself, but did not find any clue so far. Can someone please enlighten me and tell me, how I (or our provider) can disable that "UDP DNS intercept behavior" as that breaks our current use-case, especially as I seldomly can configure our applications to (not) use UDP / EDNS, so depending on which resolver library they use they get different answers to the same query. Thank you in advance. Philipp Hahn -- Philipp Hahn Open Source Software Engineer Univention GmbH Mary-Somerville-Str. 1 28359 Bremen Germany | Deutschland Phone: +49 (0)421 22232-0 | E-Mail: info@univention.de https://www.univention.de | https://www.univention.com Managing Directors: Peter H. Ganten, Stefan Gohmann Local court: Amtsgericht Bremen HRB 20755 | Ust-ID: DE220051310 If you are not the intended recipient of this mail, please contact the sender and delete this message. Any unauthorized copying of this message or unauthorized distribution of the information contained herein is prohibited.Information on the processing of your personal data can be found here: https://www.univention.com/privacy-statement
Hi Philipp, OVN will respond to VM DNS queries out of its own database and not forward the request in some configurations. See this page for a discussion of this feature: https://docs.openstack.org/charm-guide/latest/admin/networking/ovn/internal-... Also this bug: https://bugs.launchpad.net/neutron/+bug/1902950 Michael On Sun, May 12, 2024 at 9:36 AM Philipp Hahn <hahn@univention.de> wrote:
Hello,
I'm new to this list and relatively new to OpenStack, so please be patient with me.
Our infrastructure provider is hosting OpenStack for us and I observed the following irritating behavior: If my Linux VM does a reverse-IP-lookup (PTR) something™ seems to intercept those PTR queries on their way from the VM to the *configured* DNS server and answers them itself, returning the name of the VM inside some pre-configured domain:
# dig +nocmd +nocomments +nostats +noedns -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 3600 IN PTR jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech.
# getent hosts 10.201.0.211 10.201.0.211 jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech
# python3 -c 'import DNS;req=DNS.DnsRequest("211.0.201.10.in-addr.arpa.",qtype="PTR",server=["10.201.0.211"], protocol="udp");res=req.req();print(res.answers[0]["data"])' jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=False;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=False);print(list(a))' [<DNS IN PTR rdata: jenkins-ucs-5-0-ucs-5-0-7-autotestjoinopenstack-sambaversion-no.a.customers.regiocloud.tech.>]
This only happens when UDP is used an EDNS is disabled: As soon as I use TCP or force EDNS my queries arrives at the configured DNS server and I get back the expected answer:
# dig +nocmd +nocomments +nostats +edns -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# dig +nocmd +nocomments +nostats +edns +tcp -p 53 -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# dig +nocmd +nocomments +nostats +noedns +tcp -p 53 -x 10.201.0.211 ;211.0.201.10.in-addr.arpa. IN PTR 211.0.201.10.in-addr.arpa. 172800 IN PTR master096.autotest096.test. 201.10.in-addr.arpa. 10800 IN NS master096.autotest096.test. master096.autotest096.test. 80600 IN A 10.201.0.211
# python3 -c 'import DNS;req=DNS.DnsRequest("211.0.201.10.in-addr.arpa.",qtype="PTR",server=["10.201.0.211"], protocol="tcp");res=req.req();print(res.answers[0]["data"])' master096.autotest096.test
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=False;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=True);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=True;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=True);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
# python3 -c 'import dns.resolver;r=dns.resolver.Resolver(configure=False);r.nameservers=["10.201.0.211"];r.edns=True;a=r.query("211.0.201.10.in-addr.arpa.","PTR",tcp=False);print(list(a))' [<DNS IN PTR rdata: master096.autotest096.test.>]
I already talked to out provider and spend multiple hours searching the internet or even having a look at the source code of Neutron myself, but did not find any clue so far.
Can someone please enlighten me and tell me, how I (or our provider) can disable that "UDP DNS intercept behavior" as that breaks our current use-case, especially as I seldomly can configure our applications to (not) use UDP / EDNS, so depending on which resolver library they use they get different answers to the same query.
Thank you in advance. Philipp Hahn -- Philipp Hahn Open Source Software Engineer
Univention GmbH Mary-Somerville-Str. 1 28359 Bremen Germany | Deutschland Phone: +49 (0)421 22232-0 | E-Mail: info@univention.de
https://www.univention.de | https://www.univention.com
Managing Directors: Peter H. Ganten, Stefan Gohmann Local court: Amtsgericht Bremen HRB 20755 | Ust-ID: DE220051310
If you are not the intended recipient of this mail, please contact the sender and delete this message. Any unauthorized copying of this message or unauthorized distribution of the information contained herein is prohibited.Information on the processing of your personal data can be found here: https://www.univention.com/privacy-statement
participants (2)
-
Michael Johnson
-
Philipp Hahn