Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: LookupNS doesn't chase through CNAMEs #44199

Open
vrubiella opened this issue Feb 10, 2021 · 8 comments
Open

net: LookupNS doesn't chase through CNAMEs #44199

vrubiella opened this issue Feb 10, 2021 · 8 comments

Comments

@vrubiella
Copy link

@vrubiella vrubiella commented Feb 10, 2021

What version of Go are you using (go version)?

go1.13 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

macos and alpine container

What did you do?

package main

import (
	"fmt"
	"net"
)

func main() {
	records, err := net.LookupNS("_acme-challenge.xxxxxxx.cat")

	if err != nil {
		fmt.Println(err.Error())
	}else {
		fmt.Println(records[0])
	}
}

I see related issues with cgo/go/cgo+1 resolvers but:

export GODEBUG=netdns=cgo                              
go run main.go                                         
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
export GODEBUG=netdns=go 
run main.go          
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
 export GODEBUG=netdns=cgo+1
go run main.go             
go package net: using cgo DNS resolver
lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host
dig +short ns _acme-challenge.xxxxx.cat
ghs.googlehosted.com

What did you expect to see?

ghs.googlehosted.com.

What did you see instead?

lookup _acme-challenge.xxxxx.cat on 192.168.50.1:53: no such host

it works fine in most cases, but not in some cases(domains) and I don't understand why.

I have the complete code running in an alpine container within a kubernetes cluster, so I rule out that it is a problem with my local dns solver.

Note: Adding net.LookupCNAME when LookupNS return error I can see the expected result. lookupNS not following CNAME? is the expected behavior?

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Feb 10, 2021

is it consistent in which domains fail and can you give an example of a failing domain?

@seankhliao seankhliao changed the title net.LookupNS no such host but dig command solves well (netdns different solvers tested). net: LookupNS no such host but dig command solves well (netdns different solvers tested) Feb 10, 2021
@vrubiella
Copy link
Author

@vrubiella vrubiella commented Feb 10, 2021

@seankhliao I send you PM (twitter) with real domain name.

@vrubiella vrubiella closed this Feb 10, 2021
@vrubiella vrubiella reopened this Feb 10, 2021
@vrubiella
Copy link
Author

@vrubiella vrubiella commented Feb 10, 2021

sorry closed by error.

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Feb 10, 2021

So _acme-challenge.xxxxx.cat is a CNAME to ghs.googlehosted.com.
Go also assumes the resolver is recursive so it'll return everything it needs at once,
Since only a CNAME is returned, it doesn't find the NS records it is looking for.

@seankhliao seankhliao changed the title net: LookupNS no such host but dig command solves well (netdns different solvers tested) net: LookupNS doesn't chase through CNAMEs Feb 10, 2021
@vrubiella
Copy link
Author

@vrubiella vrubiella commented Feb 17, 2021

@seankhliao temporary I workaround this scenarios checking CNAME when LookupNS return "no such host", but now I have another set of domains on LookupCNAME returns "no such host" too, but dig cname host works properly:

; <<>> DiG 9.10.6 <<>> cname _acme-challenge.xxxxx.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59478
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxxx.eu.	IN	CNAME

;; ANSWER SECTION:
_acme-challenge.xxxxx.eu. 293 IN	CNAME	gv-kbjiszhdypo6wn.dv.googlehosted.com.

;; Query time: 6 msec
;; SERVER: 172.17.1.2#53(172.17.1.2)
;; WHEN: Wed Feb 17 17:33:15 CET 2021
;; MSG SIZE  rcvd: 108

One more time test int with diferent solvers:

➜  test git:(DADS-170457) ✗ GODEBUG=netdns=go go run main.go  
lookup _acme-challenge.xxxx.eu on 172.17.1.2:53: no such host
➜  test git:(DADS-170457) ✗ GODEBUG=netdns=cgo go run main.go 
lookup _acme-challenge.xxxx.eu: no such host

@networkimprov
Copy link

@networkimprov networkimprov commented Feb 28, 2021

@vrubiella
Copy link
Author

@vrubiella vrubiella commented Mar 1, 2021

Hi, Add more information: All failing lookupCNAME resolutions are CNAMES related with xxxx.googlehosted.com domains.

@vrubiella
Copy link
Author

@vrubiella vrubiella commented Mar 3, 2021

Hello,
Here a complete test adding manual dns query for retrieving CNAME record succesfully instead of error on net.LookupCNAME:

func main() {

	domain := "_acme-challenge.xxxxxx.com"

	records, err := net.LookupNS(domain)

	if err != nil {
		fmt.Println("LookupNS" + err.Error())
	}else {
		fmt.Println(records[0])
	}

	cname, err := net.LookupCNAME(domain)

	if err != nil {
		fmt.Println("LookupCNAME:"+err.Error())
	}else {
		fmt.Println(cname)
	}


	dnsClient := new(dns.Client)
	dnsQuery := new(dns.Msg)
	dnsQuery.SetQuestion(dns.Fqdn(domain), dns.TypeCNAME)
	dnsQuery.RecursionDesired = true
	dnsQuery.SetEdns0(4096, true)

	r, _, err := dnsClient.Exchange(dnsQuery, net.JoinHostPort("1.1.1.1", "53"))

	if err != nil {
		fmt.Print(err.Error())
	}

	if r.Rcode != dns.RcodeSuccess {
		fmt.Printf("unexpected rcode: %d",r.Rcode)
	}

	var cnames []string

	for _, ain := range r.Answer {
		if a, ok := ain.(*dns.CNAME); ok {
			cnames = append(cnames, a.Target)
		}
	}
	fmt.Println(cnames)
}

output:
LookupNSlookup _acme-challenge.xxxxxx.com on 172.17.1.2:53: no such host
LookupCNAME:lookup _acme-challenge.xxxxxx.com: no such host
[gv-nufxpy2ggx7pw4.dv.googlehosted.com.]


xxxxxx.com has catchall CNAME (*) configured to gv-nufxpy2ggx7pw4.dv.googlehosted.com.

I have some scenarios with catchall CNAME poiting to external providers on net.LookupNAME works successfully.



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants