Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doggo supports osx scoped queries on accident, but doesn't report correctly #49

Open
logikal opened this issue Jul 28, 2022 · 2 comments
Open

doggo supports osx scoped queries on accident, but doesn't report correctly #49

logikal opened this issue Jul 28, 2022 · 2 comments

Comments

@logikal
Copy link

logikal commented Jul 28, 2022
edited

I use OSX's DNS configuration for scoped queries. I use this so my work-related private/internal domains are resolved using DNS servers in our infrastructure, but the rest of the internet is resolved using the "normal" resolvers.

It looks like doggo is doing a lookup that respects the scoped query functionality in osx, but it's happening transparently and causing doggo to "lie" about the origin of the answer. This suggests that resolver-specific queries are leaking to other resolvers silently.

doggo reports that the normal resolvers are answering for domains that should be responding with NXDOMAIN, and don't list the resolver for the scoped query at all:

> doggo -t cname logikal.test.record.foo.tld
NAME                                          	TYPE 	CLASS	TTL	ADDRESS                                                                	NAMESERVER
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	192.168.1.87:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	192.168.1.1:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	8.8.8.8:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	1.1.1.1:53

# those resolvers all actually report NXDOMAIN for the record
> doggo @udp://8.8.8.8 -t cname sean.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	8.8.8.8:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://192.168.1.87 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER     	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	192.168.1.87:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://1.1.1.1 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	1.1.1.1:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://192.168.1.1 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER    	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	192.168.1.1:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

# but the resolver for the scoped query does return the right answer for the query.
doggo @udp://10.100.0.2 logikal.test.record.foo.tld
NAME                                                                 	TYPE 	CLASS	TTL 	ADDRESS                                                              	NAMESERVER
logikal.test.record.foo.tld.                                     	CNAME	IN   	60s 	*.ssl.hub.foo.tld.                                              	10.100.0.2:53
*.ssl.hub.foo.tld.                                              	CNAME	IN   	300s	nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	10.100.0.2:53
nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	A    	IN   	60s 	1.2.3.4                                                        	10.100.0.2:53
nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	A    	IN   	60s 	1.2.3.4                                                         	10.100.0.2:53

My resolver configuration

# some irrelevant resolvers removed
scutil --dns
DNS configuration

resolver #1
  search domain[0] : foo.tld (my work domain)
  search domain[3] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 13 (en4)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : foo.tld
  nameserver[0] : 10.100.0.2
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 102600

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 13 (en4)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 15 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  search domain[0] : foo.tld (my work domain)
  nameserver[0] : 10.100.0.2
  if_index : 26 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)
@logikal logikal changed the title doggo supports scoped queries on accident, but doesn't report correctly doggo supports osx scoped queries on accident, but doesn't report correctly Jul 28, 2022
@logikal
Copy link
Author

logikal commented Jul 28, 2022
edited

None of the other cli tools I've checked leak queries to the scoped resolver.

> dig logikal.test.record.foo.tld

; <<>> DiG 9.10.6 <<>> logikal.test.record.foo.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2756
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;logikal.test.record.foo.tld. IN	A

;; AUTHORITY SECTION:
foo.tld.		900	IN	SOA	ns-1371.awsdns-43.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 90 msec
;; SERVER: 192.168.1.87#53(192.168.1.87)
;; WHEN: Thu Jul 28 11:42:04 PDT 2022
;; MSG SIZE  rcvd: 145


> dog logikal.test.record.foo.tld
Status: NXDomain


> host logikal.test.record.foo.tld
Host logikal.test.record.foo.tld not found: 3(NXDOMAIN)

> nslookup logikal.test.record.foo.tld
Server:		192.168.1.87
Address:	192.168.1.87#53

** server can't find logikal.test.record.foo.tld: NXDOMAIN

> host logikal.test.record.foo.tld
Host logikal.test.record.foo.tld not found: 3(NXDOMAIN)

dscacheutil is the only osx cli tool I've found that respects the scoped queries config.

dscacheutil -q host -a logikal.test.record.foo.tld
name: nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.
alias: logikal.test.record.foo.tld *.ssl.hub.foo.tld.
ip_address: 1.2.3.4
ip_address: 1.2.3.4

@logikal
Copy link
Author

logikal commented Jul 28, 2022

To be clear, I like that doggo ends up respecting the scoped queries configuration, but think that it should be explicit/not silently leaking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@logikal