net: LookupNS doesn't chase through CNAMEs

[vrubiella]

What version of Go are you using (go version)?

go1.13 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

macos and alpine container

What did you do?

package main

import (
	"fmt"
	"net"
)

func main() {
	records, err := net.LookupNS("_acme-challenge.xxxxxxx.cat")

	if err != nil {
		fmt.Println(err.Error())
	}else {
		fmt.Println(records[0])
	}
}

I see related issues with cgo/go/cgo+1 resolvers but:

export GODEBUG=netdns=cgo                              
go run main.go                                         
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
export GODEBUG=netdns=go 
run main.go          
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
 export GODEBUG=netdns=cgo+1
go run main.go             
go package net: using cgo DNS resolver
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
dig +short ns _acme-challenge.xxxxx.cat
ghs.googlehosted.com

What did you expect to see?

ghs.googlehosted.com.

What did you see instead?

lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host

it works fine in most cases, but not in some cases(domains) and I don't understand why.

I have the complete code running in an alpine container within a kubernetes cluster, so I rule out that it is a problem with my local dns solver.

Note: Adding net.LookupCNAME when LookupNS return error I can see the expected result. lookupNS not following CNAME? is the expected behavior?

[seankhliao]

is it consistent in which domains fail and can you give an example of a failing domain?

[vrubiella]

@seankhliao I send you PM (twitter) with real domain name.

[vrubiella]

sorry closed by error.

[seankhliao]

So _acme-challenge.xxxxx.cat is a CNAME to ghs.googlehosted.com.
Go also assumes the resolver is recursive so it'll return everything it needs at once,
Since only a CNAME is returned, it doesn't find the NS records it is looking for.

[vrubiella]

@seankhliao temporary I workaround this scenarios checking CNAME when LookupNS return "no such host", but now I have another set of domains on LookupCNAME returns "no such host" too, but dig cname host works properly:

; <<>> DiG 9.10.6 <<>> cname _acme-challenge.xxxxx.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59478
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxxx.eu.	IN	CNAME

;; ANSWER SECTION:
_acme-challenge.xxxxx.eu. 293 IN	CNAME	gv-kbjiszhdypo6wn.dv.googlehosted.com.

;; Query time: 6 msec
;; SERVER: 172.17.1.2#53(172.17.1.2)
;; WHEN: Wed Feb 17 17:33:15 CET 2021
;; MSG SIZE  rcvd: 108

One more time test int with diferent solvers:

➜  test git:(DADS-170457) ✗ GODEBUG=netdns=go go run main.go  
lookup _acme-challenge.xxxx.eu on 172.17.1.2:53: no such host
➜  test git:(DADS-170457) ✗ GODEBUG=netdns=cgo go run main.go 
lookup _acme-challenge.xxxx.eu: no such host

[networkimprov]

cc @ianlancetaylor

[vrubiella]

Hi, Add more information: All failing lookupCNAME resolutions are CNAMES related with xxxx.googlehosted.com domains.

[vrubiella]

Hello,
Here a complete test adding manual dns query for retrieving CNAME record succesfully instead of error on net.LookupCNAME:

func main() {

	domain := "_acme-challenge.xxxxxx.com"

	records, err := net.LookupNS(domain)

	if err != nil {
		fmt.Println("LookupNS" + err.Error())
	}else {
		fmt.Println(records[0])
	}

	cname, err := net.LookupCNAME(domain)

	if err != nil {
		fmt.Println("LookupCNAME:"+err.Error())
	}else {
		fmt.Println(cname)
	}


	dnsClient := new(dns.Client)
	dnsQuery := new(dns.Msg)
	dnsQuery.SetQuestion(dns.Fqdn(domain), dns.TypeCNAME)
	dnsQuery.RecursionDesired = true
	dnsQuery.SetEdns0(4096, true)

	r, _, err := dnsClient.Exchange(dnsQuery, net.JoinHostPort("1.1.1.1", "53"))

	if err != nil {
		fmt.Print(err.Error())
	}

	if r.Rcode != dns.RcodeSuccess {
		fmt.Printf("unexpected rcode: %d",r.Rcode)
	}

	var cnames []string

	for _, ain := range r.Answer {
		if a, ok := ain.(*dns.CNAME); ok {
			cnames = append(cnames, a.Target)
		}
	}
	fmt.Println(cnames)
}

output:
LookupNSlookup _acme-challenge.xxxxxx.com on 172.17.1.2:53: no such host
LookupCNAME:lookup _acme-challenge.xxxxxx.com: no such host
[gv-nufxpy2ggx7pw4.dv.googlehosted.com.]

xxxxxx.com has catchall CNAME (*) configured to gv-nufxpy2ggx7pw4.dv.googlehosted.com.

I have some scenarios with catchall CNAME poiting to external providers on net.LookupNAME works successfully.

[Justin-Marks]

I'm experiencing a similar problem with LookupCNAME (go v1.20). It should return the last CNAME, but sometimes it returns the first CNAME:

for i := 0; i < 20; i++ {
    fmt.Println(net.LookupCNAME("www.microsoft.com"))
}

Output:

www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
www.microsoft.com-c-3.edgekey.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>
e13678.dscb.akamaiedge.net. <nil>

The CNAME section for dig www.microsoft.com shows:

www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
e13678.dscb.akamaiedge.net.

Unlike LookupCNAME, the dig result is always consistent.

[mateusz834]

@Justin-Marks This race is caused because of #50101, should be fixed by: #59943