** Description changed: + + [Impact] + + * Certain WiFi captive portals do not support EDNS0 queries, as per RFC. + * Instead of responding with the captive portal IP address, they resond with domain not found + * This prevents the user from hitting the captive portal login page, able to authenticate, and gain access to the internets. + + [The Fix] + + * As per tcp dumps, the problem arrises from receiving NXDOMAIN when queried with EDNS0 + * And receiving the right response without EDNS0 + * The solution was to downgrade transactions, and retry EDNS0 + NXDOMAIN result without EDNS0 with a hope of getting the right answer. + + [Test Case] + + * systemd-resolve securelogin.example.com + * journalctl -b -u systemd-resolve | grep DVE-2018 + + You should obverse that a warning message that transaction was retried + with a reduced feature level e.g. UDP or TCP. + + After this test case is performed the result will be cached, therefore + to revert to pristine state perform + + * systemd-resolve --flush-caches + + [Regression Potential] + + * The code retries, and then caches, NXDOMAIN results for certain + queries (those that have 'secure' in them) with and without EDNS0. + + * Thus initial query for these domains may take longer, but hopefully + will manage to receive the correct response. + + * Manufacturers are encouraged to correctly support EDNS0 queries, with + flag D0 set to zero. + + [Other Info] + + * This issue is tracked as a dns-violation at + https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md + + [Original Bug report] + I have an odd network situation that I have so far managed to narrow down to the inability to resolve a domain via systemd-resolved which is resolvable with nslookup. If I use nslookup against the two nameservers on this network I get answers for the domain, but ping says it is unable to resolve the same domain (as do browsers and crucially the captive portal mechanism). Here are details: NSLOOKUP: ~$ nslookup securelogin.arubanetworks.com 208.67.220.220 Server: 208.67.220.220 Address: 208.67.220.220#53 Non-authoritative answer: Name: securelogin.arubanetworks.com Address: 172.22.240.242 ~$ nslookup securelogin.arubanetworks.com 208.67.222.222 Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: Name: securelogin.arubanetworks.com Address: 172.22.240.242 - PING: ~$ ping securelogin.arubanetworks.com ping: securelogin.arubanetworks.com: Name or service not known - mark@mark-X1Y2:~$ - + mark@mark-X1Y2:~$ DIG: ~$ dig @208.67.222.222 securelogin.arubanetworks.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @208.67.222.222 securelogin.arubanetworks.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9416 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;securelogin.arubanetworks.com. IN A ;; AUTHORITY SECTION: arubanetworks.com. 1991 IN SOA dns5.arubanetworks.com. hostmaster.arubanetworks.com. 1323935888 3600 200 1209600 86400 ;; Query time: 34 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Wed Oct 25 10:31:10 CEST 2017 ;; MSG SIZE rcvd: 144 - MORE DIG: ~$ dig securelogin.arubanetworks.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> securelogin.arubanetworks.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3924 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;securelogin.arubanetworks.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Wed Oct 25 10:34:01 CEST 2017 ;; MSG SIZE rcvd: 58
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1727237 Title: systemd-resolved is not finding a domain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1727237/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
