[Touch-packages] [Bug 1886128] Re: systemd-resolved does not resolve address due to udp payload size.

Mon, 13 Jul 2020 11:02:11 -0700 

aha:

ddstreet@lp1886128:~$ sudo iptables -n -t security -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            168.63.129.16        owner UID match 0
DROP       tcp  --  0.0.0.0/0            168.63.129.16        ctstate 
INVALID,NEW


it seems like this is being added by walinuxagent:

Jul 13 16:21:15 lp1886128 python3[1298]: 2020/07/13 16:21:15.672132 INFO 
ExtHandler Successfully added Azure fabric firewall rules
Jul 13 16:21:15 lp1886128 python3[1298]: 2020/07/13 16:21:15.683188 INFO 
ExtHandler Firewall rules:
Jul 13 16:21:15 lp1886128 python3[1298]: Chain INPUT (policy ACCEPT 0 packets, 
0 bytes)
Jul 13 16:21:15 lp1886128 python3[1298]:     pkts      bytes target     prot 
opt in     out     source               destination
Jul 13 16:21:15 lp1886128 python3[1298]: Chain FORWARD (policy ACCEPT 0 
packets, 0 bytes)
Jul 13 16:21:15 lp1886128 python3[1298]:     pkts      bytes target     prot 
opt in     out     source               destination
Jul 13 16:21:15 lp1886128 python3[1298]: Chain OUTPUT (policy ACCEPT 0 packets, 
0 bytes)
Jul 13 16:21:15 lp1886128 python3[1298]:     pkts      bytes target     prot 
opt in     out     source               destination
Jul 13 16:21:15 lp1886128 python3[1298]:        0        0 ACCEPT     tcp  --  
*      *       0.0.0.0/0            168.63.129.16        owner UID match 0
Jul 13 16:21:15 lp1886128 python3[1298]:        0        0 DROP       tcp  --  
*      *       0.0.0.0/0            168.63.129.16        ctstate INVALID,NEW


** Also affects: walinuxagent (Ubuntu)
   Importance: Undecided
       Status: New

** Summary changed:

- systemd-resolved does not resolve address due to udp payload size.
+ walinuxagent blocks DNS fallback to TCP

** Changed in: systemd (Ubuntu)
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1886128

Title:
  walinuxagent blocks DNS fallback to TCP

Status in systemd package in Ubuntu:
  Invalid
Status in walinuxagent package in Ubuntu:
  New

Bug description:
  [impact]

  on azure instances, walinuxagent blocks all (new) TCP connections to
  the azure nameserver, which prevents fallback to TCP DNS for truncated
  dns queries

  [test case]

  on an azure instance:

  ddstreet@lp1886128:~$ systemd-resolve --status | grep Servers
           DNS Servers: 168.63.129.16
  ddstreet@lp1886128:~$ dig +retries=0 +timeout=1 +short +tcp @168.63.129.16 
toomany100.ddstreet.org
  ;; connection timed out; no servers could be reached
  ;; Connection to 168.63.129.16#53(168.63.129.16) for toomany100.ddstreet.org 
failed: timed out.

  
  change the actual nameserver ip in the 'dig' command to match what resolved 
is configured with (which comes from dhcp)

  [regression potential]

  TBD

  [scope]

  TBD

  [original description]

  
  Description:  Ubuntu 18.04.4 LTS
  Release:      18.04

  systemd-resolve --version

  systemd 237
  +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
  +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN
  -PCRE2 default-hierarchy=hybrid

  We met an error: on an attempt to resolve address, the following issue
  appears:

  ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> 
mharder-formrec.cognitiveservices.azure.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44096
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;mharder-formrec.cognitiveservices.azure.com. IN      A

  ;; Query time: 231 msec
  ;; SERVER: 127.0.0.53#53(127.0.0.53)
  ;; WHEN: Tue Apr 28 20:47:14 UTC 2020
  ;; MSG SIZE  rcvd: 72

  Let me provide you important notes about the issue:
  1) It's not reproducing on Ubuntu 16;
  2) Bypassing systemd-resolve - everything works fine;
  3) Only the difference between systemd-resolve and END is UDP_PAYLOAD_SIZE

  Successful query:

  1135    16:27:25.964386 10.1.0.4        168.63.129.16   DNS     128
  Standard query 0xc2d4 A mharder-formrec.cognitiveservices.azure.com
  OPT

  Domain Name System (query)
      Transaction ID: 0xc2d4
      Flags: 0x0120 Standard query
          0... .... .... .... = Response: Message is a query
          .000 0... .... .... = Opcode: Standard query (0)
          .... ..0. .... .... = Truncated: Message is not truncated
          .... ...1 .... .... = Recursion desired: Do query recursively
          .... .... .0.. .... = Z: reserved (0)
          .... .... ..1. .... = AD bit: Set
          .... .... ...0 .... = Non-authenticated data: Unacceptable
      Questions: 1
      Answer RRs: 0
      Authority RRs: 0
      Additional RRs: 1
      Queries
          mharder-formrec.cognitiveservices.azure.com: type A, class IN
      Additional records
          <Root>: type OPT
              Name: <Root>
              Type: OPT (41)
              UDP payload size: 4096
              Higher bits in extended RCODE: 0x00
              EDNS0 version: 0
              Z: 0x0000
                  0... .... .... .... = DO bit: Cannot handle DNSSEC security 
RRs
                  .000 0000 0000 0000 = Reserved: 0x0000
              Data length: 12
              Option: COOKIE
  Unsuccessful query:

  1128    16:27:25.713886 10.1.0.4        168.63.129.16   DNS     116
  Standard query 0x198d A mharder-formrec.cognitiveservices.azure.com
  OPT

  Domain Name System (query)
      Transaction ID: 0x198d
      Flags: 0x0100 Standard query
          0... .... .... .... = Response: Message is a query
          .000 0... .... .... = Opcode: Standard query (0)
          .... ..0. .... .... = Truncated: Message is not truncated
          .... ...1 .... .... = Recursion desired: Do query recursively
          .... .... .0.. .... = Z: reserved (0)
          .... .... ...0 .... = Non-authenticated data: Unacceptable
      Questions: 1
      Answer RRs: 0
      Authority RRs: 0
      Additional RRs: 1
      Queries
          mharder-formrec.cognitiveservices.azure.com: type A, class IN
      Additional records
          <Root>: type OPT
              Name: <Root>
              Type: OPT (41)
              UDP payload size: 512
              Higher bits in extended RCODE: 0x00
              EDNS0 version: 0
              Z: 0x0000
                  0... .... .... .... = DO bit: Cannot handle DNSSEC security 
RRs
                  .000 0000 0000 0000 = Reserved: 0x0000
              Data length: 0
  Notable difference:

  Success:
              UDP payload size: 4096

  Failure:
              UDP payload size: 512
  And notable differences in the responses:

  Success:
      Flags: 0x8180 Standard query response, No error
          .... ..0. .... .... = Truncated: Message is not truncated

  Failure:
      Flags: 0x8380 Standard query response, No error
          .... ..1. .... .... = Truncated: Message is truncated

  Interestingly, systemd-resolved is setting the maximum payload size to 512 
regardless of whether EDNS0 is configured and regardless of what is sent to it 
for the payload size.
  I tried to found a way to change UDP_PAYLOAD_SIZE,but it seems it is only 
possible to change it only with direct code modifications.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1886128/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to