Bug 1826709

Summary: dnsmasq cannot forward DNS reply without qname
Product: Red Hat Enterprise Linux 8 Reporter: Petr Menšík <pemensik>
Component: dnsmasqAssignee: Petr Menšík <pemensik>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: low    
Version: ---CC: aegorenk, dougsland, pemensik, thozza, veillard
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1826691 Environment:
Last Closed: 2020-09-23 10:40:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1826691    
Bug Blocks:    

Description Petr Menšík 2020-04-22 11:44:55 UTC 
+++ This bug was initially created as a clone of Bug #1826691 +++

Description of problem:
dnsmasq is not able to deliver response to client, if configured upstream forwarder replies just with status code and no QNAME section present.

Unbound 1.6.6 sends such reply, when non-recursive query is sent to it. If dnsmasq is forwarding to it, it will not deliver SERVFAIL or original response, it would just timeout.

Version-Release number of selected component (if applicable):
dnsmasq-2.80-13.fc30.x86_64

How reproducible:
always

Steps to Reproduce:
1. configure forwarder to reply without qname, reply size 12
2. set dnsmasq --server=[forwarder-ip]
3. dig @[dnsmasq-ip] some.example.com

Actual results:
; <<>> DiG 9.16.2-RedHat-9.16.2-1.fc30 <<>> -p 5354 @127.0.0.1 +norec nx.example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


Expected results:
status: SERVFAIL or exact response from the server


Additional info:

--- Additional comment from Petr Menšík on 2020-04-22 12:56:44 CEST ---

On localhost, unbound is supposed to run. When it replies without qname in response, this dig in this script timeouts. It should receive at least SERVFAIL.

Alternative would be ldns-utils package.

cat > testns << TESTNS
$TTL 600

ENTRY_BEGIN
MATCH #nx.test
REPLY SERVFAIL QR
ADJUST copy_id
ENTRY_END
TESTNS

ldns-testns testns

Then run this script

--- Additional comment from Petr Menšík on 2020-04-22 13:09:19 CEST ---

Unbound 1.6.6 from RHEL/CentOS 7 would return REFUSED when dig +norec is directed at default configuration. That reply is without qname. Qname was fixed in unbound 1.7.0, later versions answers are properly forwarded.

--- Additional comment from Petr Menšík on 2020-04-22 13:38:24 CEST ---

Updated reproducer, starting also ldns-testns on test. It provides complete check if dnsmasq is able to handle replies without qname.

--- Additional comment from Petr Menšík on 2020-04-22 13:40:40 CEST ---

Reply without qname looks like this in DiG:

$ dig -p 8054 test

; <<>> DiG 9.16.2-RedHat-9.16.2-1.fc30 <<>> -p 8054 test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29465
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#8054(127.0.0.1)
;; WHEN: St dub 22 13:39:36 CEST 2020
;; MSG SIZE  rcvd: 12

--- Additional comment from Petr Menšík on 2020-04-22 13:42:45 CEST ---
Comment 2 Petr Menšík 2020-09-23 10:40:21 UTC 
Because any known software on RHEL8 produces such replies, I think it is not important to fix it now. When proper solution fix is found with upstream, this can be reopened. Closing until Patch is present on Fedora.