-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS timeout issues with v0.14.1 #54
Comments
I noticed this in --dump -vv
whereas in (v0.14):
|
Hmmm… here are all the changes between v0.14 and v0.14.1.
Am I to assume that XXX and YYY are IPv4 addresses, while ZZZZZZZZ is an IPv6 address? Once connected, can you What happens if you try to do the DNS lookups "manually" via What happens if you add As for the netmask changes between v0.14 and v0.14.1… is this a consistent and persistent difference? These values are sent by the server itself… so it's quite like that if the prefix changed from |
I didn't mean the exact values, but the following:
IPv6Interface vs IPv6Address I will try to check your other thoughts later. |
I've attempted to reproduce this, by adding bogus/black-holed DNS servers to my list… from vpn_slice.dnspython import DNSPythonProvider
import ipaddress
p=DNSPythonProvider()
# One bogus IPv4 DNS server, two real IPv6 DNS servers
p.configure(list(map(ipaddress.ip_address, (
'123.45.67.89', # bogus IPv4 DNS server
'2001:4860:4860::8888','2001:4860:4860::8844', # real Google Public DNS servers (IPv6)
))), bind_addresses=list(map(ipaddress.ip_address, ('192.168.12.233','2601:…'))) )
# This succeeds for me
p.lookup_host('www.google.com') Can you test fdf9ef2 and see if it fixes the problem for you?
Ah, okay. This was an intended change, to correctly replicate the behavior of the "standard" vpnc-script in terms of how it handles the parameters sent by openconnect. If it had an incorrect effect on your (IPv6) routing configuration, I'm interested to hear it. |
I've started seeing this, too. I looked at the traffic with Wireshark, and I now suspect a bug in dnspython. I was seeing a request go out from dnspython, and an empty response come back from the name server immediately. If dnspython were correctly receiving the response, I'd expect There were two differences between a successful request from dig and the request from dnspython: dig sets the AD flag, and dig uses EDNS0. I reconfigured dnspython to use EDNS0, but that didn't fix the issue. I didn't see an obvious way to get dnspython to set the AD flag, but I wouldn't really expect that to change anything. |
Huh, that's interesting. So your idea is that
Yeah, I don't see how that would change anything either.
🤔 Line 14 in 75f2ee7
|
That's right.
This one's my fault. I compared vpn-slice's traffic with running dig by hand, so just |
I wish I could reproduce this, but cannot. When I try fdf9ef2 (with the logging statement uncommented) on any of the real VPNs and DNS servers that I have access to (running on Ubuntu 18.04 here)… I get an immediate reply, rather than a timeout, and then the remaining DNS lookups complete successfully:
@gmacon Could you try to use something like the short standalone test script I posted above to repeatedly generate the DNS queries that are causing the timeout with |
I tested with your fix, and it works. It's not timing out, just resolving of the servers takes a long time before the connection is established. |
Ahhhh… that's good to know. Can you uncomment this additional logging statement and run again? fdf9ef2#diff-6213469e2b2c96b8c072c5abf4d783b7R35-R36 I'm guessing that what's happening here is that it's timing out on the IPv6 DNS server(s) or the IPv4 DNS server(s) — whichever ones it tries first — and then after 30s tries on the other IP-version servers, and succeeds. If you uncomment the logging statement and try again, it will be 100% clear if this is what's happening. |
I'm running the version with extra logging, and it looks like I'm just impatient. It's successfully looking up the DNS on the IPv4 DNS server and then failing to do so against the IPv6 server (and there are, in fact, no IPv6 packets in Wireshark). Because I have a bunch of names, it'll take ten minutes to wait out all the IPv6 timeouts, and I never did. I think it's surprising that, after successfully resolving a name against one name server, it tries again against the other. It strikes me that a configuration where AAAA records are only returned over IPv6 would be a very unusual one. I'll try to debug my IPv6 connectivity. |
it works but still way too long. I tested for 5 servers it took 2,5 minutes to resolve. |
I just pushed a branch to my fork, dns-by-route that contains a modification so that dnspython can figure out what servers it wants to talk to on its own. This does remove the explicit source addresses, but they don't seem to be required for me. Thoughts? |
@gmacon your fork works fine for me |
Hmmm… 2.5 minutes is impossibly long with a 30 second timeout. There are at most 4 combinations of (DNS server address: IPv4 vs. IPv6 ) × (DNS rectype: @ciapecki Can you share the logging output? It should not take more than 2 minutes given 4 combinations and a 30 second timeout. |
@gmacon thanks. I can understand why this works better, but I worry that it may go against important design goals of
Not specifying the source-address means that |
Yeah. Would be good to know if it's the VPN admins' fault (DNS-over-IPv6 is configured wrong on the server side) or
Unfortunately there are DNS servers and VPNs which are known to misbehave in ways like this, probably as a crutch for older client OSes that themselves mishandled IPv6. It's not exactly the same thing, but Pulse VPNs won't let you tunnel IPv6 packets to the VPN when connected to the gateway via IPv4, and vice versa… a completely idiotic arrangement that defeats the entire purpose of a tunneling protocol, but nevertheless true. We could change the tl;dr It seems to me that the bottom line here is we need to figure out why IPv6 connectivity to your DNS servers isn't working, and fix or workaround that, rather than simply ignore or skip DNS-over-IPv6 silently. (We could also add an |
I have 5 hosts passed to vpn-slice. For every one it takes 30seconds => together ~2,5min for every host:
|
Ah, thanks for clarifying. 👌
Yeah, this has to be because of a timeout on whichever type of DNS server it is trying in the first 30 seconds. Can you please try 505e136 (= fdf9ef2 with the logging statements uncommented)? This will show you whether or not it's the DNS-over-IPv6 or DNS-over-IPv4 queries which are timing out; that's an important piece of information to help us know whether this is really an IPv6-specific problem. |
|
Thanks @ciapecki. Okay, we can definitely confirm from this that it is indeed the DNS-over-IPv6 servers which are timing out for you |
I have an issue that I think is related. For me vpn-slice stopped working at version v0.14.1. In particular, I get the error:
If I look at the dump and compare version 0.14.0 to version 0.14.1, I notice that Note however that I do not have timing out issues but the error that "... has host bits set". |
@fahasch, that was the first error with IPv6 that I got. The proximate cause there is that an address = ip_interface(address)
self._ifconfig(device, family, address, address.ip) which ran without error (if I remembered correctly exactly what I did, I've changed it again since then trying to figure out what's wrong) but still resulted in broken IPv6 connectivity. I connected with the real AnyConnect client to see how it configures the interface:
It's not clear exactly what Cisco is thinking here. IPv4 is point-to-point but has zero bits in the netmask. IPv6 is not point-to-point, but it has the all-ones netmask. |
@gmacon Thanks for the tip. It does not solve the problem for me though. If I change the relevant line 109 in mac.py (making sure that ip_interface is imported), I do get another error:
If I run |
I guess I should have said this, too. My current state is: address = ip_interface(address)
self._ifconfig(device, family, ip_network(address.ip), address.ip) which just throws away any available netmask information. |
That works like a charm (except for the DNS operation timed out mentioned above). I hope the issues with ip6 (wherever they are located) will be settled at some point in the near future. |
handle IPv6Interface objects consistently and gracefully (fix for #54)
handle IPv6Interface objects consistently and gracefully (fix for #54)
Merged #55 which should resolve the issue on both macOS and Linux. Brief summary is that This affected IPv6 due to the changes to store the IPv6 address in this form between Three cheers to @gmacon for figuring out a solution and writing a clean fix. 🍻 |
reverting back to v0.14 resolves these issues for me:
There must have been changes between v0.14 and v0.14.1 causing above timeouts.
Anything I can test on my side?
thanks,
Chris
The text was updated successfully, but these errors were encountered: