Connection coalescing unreliable due to DNS overlaps

[swankjesse]

I’m attempting to confirm that HTTP/2 connection coalescing is working properly, but I’m finding that depending on which DNS I don’t see consistent coalescing.

I wrote this program to print intersections:

    Map<String, List<String>> addressToHostnames = new TreeMap<>();
    List<String> hostnames = immutableList(
        "graph.facebook.com",
        "www.facebook.com",
        "fb.com",
        "messenger.com",
        "m.facebook.com",
        "www.google.com",
        "google.com",
        "google.ca",
        "twitter.com",
        "api.twitter.com"
    );
    for (String hostname : hostnames) {
      List<InetAddress> addresses = Dns.SYSTEM.lookup(hostname);
      for (InetAddress address : addresses) {
        List<String> addressHostnames = addressToHostnames.computeIfAbsent(
            address.getHostAddress(), k -> new ArrayList<>());
        addressHostnames.add(hostname);
      }
    }
    for (Map.Entry<String, List<String>> entry : addressToHostnames.entrySet()) {
      if (entry.getValue().size() > 1) {
        System.out.println(entry.getValue().size() + ": " + entry);
      }
    }

On my residential internet results are mixed. Here’s some runs:

2: 2a03:2880:f127:83:face:b00c:0:25de=[www.facebook.com, fb.com]

2: 2a03:2880:f127:83:face:b00c:0:25de=[www.facebook.com, fb.com]
2: 31.13.74.36=[www.facebook.com, fb.com]

2: 157.240.2.20=[graph.facebook.com, messenger.com]
2: 2a03:2880:f127:83:face:b00c:0:25de=[www.facebook.com, fb.com]
2: 31.13.74.36=[www.facebook.com, fb.com]

2: 2a03:2880:f027:13:face:b00c:0:2=[graph.facebook.com, messenger.com]
2: 2a03:2880:f127:83:face:b00c:0:25de=[www.facebook.com, fb.com]
2: 31.13.74.36=[www.facebook.com, fb.com]

Via Square’s VPN I get this:

2: 31.13.76.102=[graph.facebook.com, messenger.com]

Via LTE I get this:

2: 2a03:2880:f00b:1:face:b00c:0:1=[graph.facebook.com, messenger.com]
2: 2a03:2880:f10b:83:face:b00c:0:25de=[www.facebook.com, fb.com]
2: 31.13.74.1=[graph.facebook.com, messenger.com]
2: 31.13.74.36=[www.facebook.com, fb.com]

I’m unsure what action to take here, if any.

[swankjesse]

One more: I also see consistent overlaps with www.twitter.com and twitter.com, which is nice.

[yschimke]

Relevant to use of DNS for HTTP/2 coalescing https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Shared hosting providers like Heroku are an attack vector since DNS results are shared widely

[yschimke]

When we tackle client load balancing, it might be a good time to review how to handle connection coalescing. Converge on a clean model (firefox vs chrome), and allow CDN/media endpoints to use distinct connection for media etc, rather than competing with API requests etc.

#4530

[yschimke]

I think we have a comfortable default behaviour here. load balancing is a different issue completely.