New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embedded dns does not return compressed results. #20132
Comments
@clinta thanks. as per miekg/dns#216 (comment) the fix is miekg/dns@44df365. We have to test it out and provide feedback before we can vendor-in the fix. |
If you do a You can do a |
yes. I could see the truncated responses when using the 8.8.8.8 as the DNS server and with +trace, I can see the size as 4090 bytes. |
Since RFC 1035 states "all programs are required to understand arriving messages that Responses larger than 512 bytes are only allowed if edns is supported. So long as Docker's resolver passes the edns flag as it was received from the container, everything should work fine in terms of responses that are larger than 512 bytes compressed. If the application does not support edns, like Go's net dns library, it will not set the edns flag in it's request. So long as Docker's resolver passes that request and does not modify the flag, the upstream resolver will know that it can not send back more than 512 bytes. Whether it sends the response compressed or not is up to the resolver, but it cannot exceed 512 bytes on the wire. If the full response, even compressed, is larger than 512 bytes, the upstream server will know that it must truncate the response to 512 byes on the wire because there was no edns flag in the request indicating a larger supported size. Docker's should pass on this response as received, especially making sure to preserve the TC flag which indicates to the requesting application that the DNS response was truncated. The application may choose to retry the query over TCP, or it may use the truncated response. But this logic is all up to the application. Docker's DNS resolver should not make any assumptions on behalf of the client application. If Docker's DNS resolver receives a retry via TCP from the app, it should pass it on to the upstream resolver via TCP. If the application does support edns and indicates that it can support a larger response (for example |
@mavenugo you are welcome to copy the Weave DNS code. It is short, deals with all the problems identified by @clinta (truncation, compression, edns), and has been in production use for months. |
@rade thanks for the pointer. @sanimej is working on to fix this in https://github.com/docker/libnetwork/blob/master/resolver.go#L230. If you wish to contribute, pls do. Since most of the DNS implementation uses |
- Fixes moby#20132 moby#20140 moby#20019 Signed-off-by: Madhu Venugopal <madhu@docker.com>
- Fixes moby#20132 moby#20140 moby#20019 Signed-off-by: Madhu Venugopal <madhu@docker.com> (cherry picked from commit 84705f1) From PR moby#20181
Continuation of #20037. The embedded DNS server does not compress dns responses. This causes issues for many apps, including docker itself (via the dind image) and any other go applications using the net go library.
A test image is available which can reproduce the issue:
@mavenugo, I'm not running in AWS. This is all a bare metal deployment. I think reproducing it depends on your upstream resolver. It appears that google's public servers, 8.8.8.8 and 8.8.4.4 do not return large dns records. DNSmasq may not by default either, I am still testing that. A recursive bind server will.
The text was updated successfully, but these errors were encountered: