** Description changed:

+ 
+ [Impact] 
+ 
+  * Certain WiFi captive portals do not support EDNS0 queries, as per RFC.
+  * Instead of responding with the captive portal IP address, they resond with 
domain not found
+  * This prevents the user from hitting the captive portal login page, able to 
authenticate, and gain access to the internets.
+ 
+ [The Fix]
+ 
+  * As per tcp dumps, the problem arrises from receiving NXDOMAIN when queried 
with EDNS0
+  * And receiving the right response without EDNS0
+  * The solution was to downgrade transactions, and retry EDNS0 + NXDOMAIN 
result without EDNS0 with a hope of getting the right answer.
+ 
+ [Test Case]
+ 
+ * systemd-resolve securelogin.example.com
+ * journalctl -b -u systemd-resolve | grep DVE-2018
+ 
+ You should obverse that a warning message that transaction was retried
+ with a reduced feature level e.g. UDP or TCP.
+ 
+ After this test case is performed the result will be cached, therefore
+ to revert to pristine state perform
+ 
+ * systemd-resolve --flush-caches
+ 
+ [Regression Potential]
+ 
+  * The code retries, and then caches, NXDOMAIN results for certain
+ queries (those that have 'secure' in them) with and without EDNS0.
+ 
+  * Thus initial query for these domains may take longer, but hopefully
+ will manage to receive the correct response.
+ 
+  * Manufacturers are encouraged to correctly support EDNS0 queries, with
+ flag D0 set to zero.
+ 
+ [Other Info]
+  
+  * This issue is tracked as a dns-violation at
+ 
https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
+ 
+ [Original Bug report]
+ 
  I have an odd network situation that I have so far managed to narrow
  down to the inability to resolve a domain via systemd-resolved which is
  resolvable with nslookup. If I use nslookup against the two nameservers
  on this network I get answers for the domain, but ping says it is unable
  to resolve the same domain (as do browsers and crucially the captive
  portal mechanism).
  
  Here are details:
  
  NSLOOKUP:
  
  ~$ nslookup securelogin.arubanetworks.com 208.67.220.220
  Server:               208.67.220.220
  Address:      208.67.220.220#53
  
  Non-authoritative answer:
  Name: securelogin.arubanetworks.com
  Address: 172.22.240.242
  
  ~$ nslookup securelogin.arubanetworks.com 208.67.222.222
  Server:               208.67.222.222
  Address:      208.67.222.222#53
  
  Non-authoritative answer:
  Name: securelogin.arubanetworks.com
  Address: 172.22.240.242
  
- 
  PING:
  
  ~$ ping securelogin.arubanetworks.com
  ping: securelogin.arubanetworks.com: Name or service not known
- mark@mark-X1Y2:~$ 
- 
+ mark@mark-X1Y2:~$
  
  DIG:
  
  ~$ dig @208.67.222.222 securelogin.arubanetworks.com
  
  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @208.67.222.222 securelogin.arubanetworks.com
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9416
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
  
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.       IN      A
  
  ;; AUTHORITY SECTION:
  arubanetworks.com.    1991    IN      SOA     dns5.arubanetworks.com. 
hostmaster.arubanetworks.com. 1323935888 3600 200 1209600 86400
  
  ;; Query time: 34 msec
  ;; SERVER: 208.67.222.222#53(208.67.222.222)
  ;; WHEN: Wed Oct 25 10:31:10 CEST 2017
  ;; MSG SIZE  rcvd: 144
  
- 
  MORE DIG:
  
  ~$ dig securelogin.arubanetworks.com
  
  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> securelogin.arubanetworks.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3924
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
  
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.       IN      A
  
  ;; Query time: 0 msec
  ;; SERVER: 127.0.0.53#53(127.0.0.53)
  ;; WHEN: Wed Oct 25 10:34:01 CEST 2017
  ;; MSG SIZE  rcvd: 58

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727237

Title:
  systemd-resolved is not finding a domain

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1727237/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to