fix(connlib): forward PTR queries for non-resources #6765
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
conectado
left a comment
conectado
left a comment
There was a problem hiding this comment.
Good catch! This could be causing issues with DNS in a lot of cases
I'll send a follow-up where we I want to refactor the function signature to explicitly track the cases of "packet for our DNS resolver but failed otherwise". |
|
I ran 10000 proptest cases locally. Appears to be stable :) |
| prop_oneof![Just(Rtype::A), Just(Rtype::AAAA)] | ||
| fn ptr_query_ip() -> impl Strategy<Value = IpAddr> { | ||
| prop_oneof
When encountering a PTR query,
connlibchecks if the query is for a Firezone-managed resource and resolve it to the correct IP. If it isn't for a DNS resource, we should forward the query to the upstream resolver.This isn't what is currently happening though. Instead of forwarding the query, we bail early from
StubResolver::handleand thus attempt to route the packet through the tunnel. This however fails because the DNS query was targeted atconnlib's stub resolver address which never corresponds to a resource IP.When TRACE logs where activated, this resulted in several entries such as
To ensure this doesn't regress, we now generate PTR and MX record queries in
tunnel_test. We don't assert the response of those but we do assert that we always get a response. The inclusion of MX records asserts that unknown query types get correctly forwarded.Resolves: #6749.