Kresd responds to hints with nxdomain for AAAA requests

I have assigned some of my machines in the local network names for the IPv4 Addresses using static leases in the dnsmasq config.

The name resolution works once on my ubuntu based workstation and after that I have to clear the resolver cache on the ubuntu workstation to get a working DNS resolution again.

I have tracked the problem on the ubuntu workstation and found that the resolver send to queries one for A record and one for AAAA record. The Query for the A record is answered correctly from kresd, but for the AAAA query kresd responds with a NXDOMAIN, which seems to delete the cache on the ubuntu resolver and caches the NXDOMAIN for a while.

An A Query:

steve@steve-ThinkPad-T560:~$ dig akolus.home.example.com a @2a04:4540:4707:a800::1

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> akolus.home.example.com a @2a04:4540:4707:a800::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56270
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;akolus.home.example.com.	IN	A

;; ANSWER SECTION:
akolus.home.example.com. 0	IN	A	192.168.50.5

;; Query time: 0 msec
;; SERVER: 2a04:4540:4707:a800::1#53(2a04:4540:4707:a800::1)
;; WHEN: Wed Oct 03 18:03:40 CEST 2018
;; MSG SIZE  rcvd: 70

An AAAA Query:

steve@steve-ThinkPad-T560:~$ dig akolus.home.example.com aaaa @2a04:4540:4707:a800::1

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> akolus.home.example.com aaaa @2a04:4540:4707:a800::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62886
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;akolus.home.example.com.	IN	AAAA

;; AUTHORITY SECTION:
example.com.		74655	IN	SOA	ns1.example.com. hostmaster.example.com. 2017064198 28800 7200 604800 86400
;; Query time: 0 msec
;; SERVER: 2a04:4540:4707:a800::1#53(2a04:4540:4707:a800::1)
;; WHEN: Wed Oct 03 18:03:33 CEST 2018
;; MSG SIZE  rcvd: 105

From my understanding the kresd should not respond with a NXDOMAIN for a record where a hint exists even when the hint is for A and a AAA record is queried

cheerio
Steve

Thanks. There’s actually an option for this in the hints module, but ATM it’s off by default and Omnia doesn’t set it. I’ll look at this.

That option still won’t prevent kresd e.g. from answering NXDOMAIN for home.example.com, along with a DNSSEC proof that nothing exists in that subtree, but I “hope” such problems won’t be noticed by the default OS resolvers.

Out of curiosity, this is systemd-resolved, right?

@paja: can you pull this commit or something similar into the next Turris release? I consider it very unlikely to break anything.

Merged into nightly branch. Thanks!

Correct. In some regards it does a good job (Split Horizont DNS for VPNs) but in other parts it can be a PITA.

Trying the change manually on my Turris yields following error:

root@turris:/etc/init.d# /usr/bin/kresd -c /tmp/kresd.config -f 1 /tmp/kresd -a 0.0.0.0 53 -a :: 53 -k /etc/root.keys
/tmp/kresd.config:12: attempt to call field 'use_nodata' (a nil value)

Does this depend on a compile time option?

What’s your kresd --version ? Current Omnia should have 2.4.1. hints.use_nodata() was introduced in 2.4.0.

EDIT: I tried the init change on my Omnia running current stable version, and it worked.

Hmm, I have following version running;

root@turris:/etc/init.d# cat /etc/turris-version 
3.10.1
root@turris:/etc/init.d# kresd --version
Knot DNS Resolver, version 2.3.0

Well, you need to update to use this change.

After updating to 3.10.7 and applying the fix my ubuntu workstation resolves the local names!

Many thanks for your support,

cheerio
Steve