pdns icon indicating copy to clipboard operation
pdns copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

Incorrect addresses returned with interaction of static /etc/hosts with DNS64

Open davidsummers opened this issue 2 years ago • 4 comments

  • Program: Recursor
  • Issue type: Bug report

When using both the options:

export-etc-hosts=yes

dns64-prefix=2001:db8:abcd:64::/96

I believe there is a missing test to see if the IPv6 address already exists for that host name and don't do the DNS64 processing to synthesize an IPv6 address if that host has an IPv6 address already configured in /etc/hosts.

Short description

It is returning the DNS64 synthesized address instead of the actual configured IPv6 address in the /etc/host file, even though the IPv6 address is configured in the /etc/hosts file.

DNS64 synthesized address should ONLY be generated if there is NOT a pre-configured IPv6 address for that host name in the /etc/hosts file.

Since the /etc/hosts was just recently fixed to add capability for IPv6 lookups in PDNS 4.8 (alpha) then this interaction may have been inadvertently overlooked.

Environment

  • Operating system: VyOS (Debian "Buster")
  • Software version: 1.3
  • Software source: PDNS 4.5 (compiled into VyOS 1.3)

Steps to reproduce

PDNS configuration file /run/powerdns/recursor.conf:

export-etc-hosts=yes
dns64-prefix=2001:db8:abcd:64::/96

Then when the /etc/hosts file has

10.1.10.51 myhost
2001:db8:abcd:10::51 myhost

Look up 'myhost' with:

$ host myhost

Expected behaviour

myhost has address 10.1.10.51
mhost has IPv6 address 2001:db8:abcd:10::51

Actual behaviour

myhost has address 10.1.10.51
mhost has IPv6 address 2001:db8:abcd:64::a01:a33

Other information

I just discovered that PDNS recursor just recently had code added to "export-etc-hosts" option to handle IPv6.

My theory is that the interaction between that and 'dns64-prefix' was overlooked.

davidsummers avatar Jul 08 '22 19:07 davidsummers

The version you are running (4.5.x) does not handle v6 addresses in /etc/hosts at all. This new functionality is not yet in a released version, it will be in 4.8.0, to be released in a few months.

For 4.5.x, if you make an auth-zone with the mapping you need, things should work.

omoerbeek avatar Jul 12 '22 06:07 omoerbeek

Yes, sorry, I forgot to mention that I'm currently testing PDNS Recursor 4.8.0 ALPHA (unreleased) in VyOS 1.3.2 (unreleased) and that is where I noticed this problem.

If this problem could be resolved then I would have a complete DNS IPv6-only working system with just VyOS router (which uses PDNS Recursor) and no other software.

davidsummers avatar Jul 12 '22 15:07 davidsummers

Ah, in that case I think you are hitting upon a limitation in the current implementation, see #11690 An auth-zone still could be used as a workaround. I'll see if I can reproduce and provide an example of the workaround I have in mind.

omoerbeek avatar Jul 12 '22 15:07 omoerbeek

OK, indeed, as the log shows, the v6 entry is skipped because there is already an entry for myhost. That is exactly the subject of #11690.

For a workaround, create a zone file local.zone:

$TTL 300
@              IN SOA  local.  hostmaster.local. (
                       1000000000 ; Serial number
                       60         ; Refresh every 1 minutes
                       60         ; Retry every minute
                       432000     ; Expire in 5 days
                       60 )       ; negative caching ttl 1 minute
               IN NS   localhost.

@ IN A 10.1.10.51 
@ IN AAAA 2001:db8:abcd:10::51

And use in recursor.conf:

auth-zones=myhost=.../local.zone
#export-etc-hosts=yes

Replacing the automatic /etc/hosts loading by your zone for myhost.

Then (I'm running my test recursor on port 5301):

$ dig @127.0.0.1 -p 5301 myhost a

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5301 myhost a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23015
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;myhost.				IN	A

;; ANSWER SECTION:
myhost.			271	IN	A	10.1.10.51

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5301(127.0.0.1)
;; WHEN: Wed Jul 13 10:23:22 CEST 2022
;; MSG SIZE  rcvd: 51

$ dig @127.0.0.1 -p 5301 myhost aaaa

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5301 myhost aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;myhost.				IN	AAAA

;; ANSWER SECTION:
myhost.			272	IN	AAAA	2001:db8:abcd:10::51

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5301(127.0.0.1)
;; WHEN: Wed Jul 13 10:23:24 CEST 2022
;; MSG SIZE  rcvd: 63

omoerbeek avatar Jul 13 '22 08:07 omoerbeek

Should be fixed by #12203

omoerbeek avatar Jun 06 '23 06:06 omoerbeek