[nsd-users] NSD incorrectly logging DNAME as refused?

Jamie Landeg-Jones jamie at catflap.org
Tue Jul 9 02:15:49 UTC 2024 

Willem Toorop <willem at nlnetlabs.nl> wrote:

> B.t.w. I've created a PR for it that resolves it (see 
> https://github.com/NLnetLabs/nsd/pull/346 ), but we may need to discuss 
> if and how to resolve it first. First I'd like to know if your 
> configuration is similar in that the CNAME or DNAME target does contain 
> an allow-query list.

Willem, thanks for the quick reply, and apologies for the delay in getting
back to you.

Apologies if I misunderstand you, but what i noticed, in my case I was setting
a DNAME to a point to a different domain that is not on my dns-server set at all.
(a third party provider)
and it appeared to happen regardless of the acl status of the remote server.
(Granted, it's probably the synthasised CNAME that triggers the log message
rather than the DNAME itself)

I first did it with a remote server that did respond, and responded (correctly)
wit nxdomain.

The example I quoted in my email were literal enties - ie. it the dname was
pointing to a remote server that didn't even exist.

Apologies for not being clear. Does this help? - II've modified my tests to these:

In my primary (and obviously, secondaries) DNS, I now have literally the
following entries. (Apologies to these guys for doing a quick test off
their nameservers!):

noexist-test.dyslexicfish.net. IN DNAME hello.example.com.
nx-test.dyslexicfish.net.      IN DNAME empty.as112.arpa.
cname-test.dyslexicfish.net.   IN DNAME sourceforge.net.
 
As the names suggest:

hello.example.com doesn't exist.
empty.as112.arpa accepts queries, but always responds with NXDOMAIN
sourceforge.net accepts queries, and always responds with a "catchall" cname.

So, with the above setup, I then log into a third-party unix account I have,
that is unrelated to my network / ip range / dns servers, and get this:

 | > host a1.cname-test.dyslexicfish.net.
 | cname-test.dyslexicfish.net has DNAME record sourceforge.net.
 | a1.cname-test.dyslexicfish.net is an alias for a1.sourceforge.net.
 | a1.sourceforge.net is an alias for projects.sourceforge.net.cdn.cloudflare.net.
 | projects.sourceforge.net.cdn.cloudflare.net has address 172.64.150.145
 | projects.sourceforge.net.cdn.cloudflare.net has address 104.18.37.111
 | projects.sourceforge.net.cdn.cloudflare.net has IPv6 address 2606:4700:4400::6812:256f
 | projects.sourceforge.net.cdn.cloudflare.net has IPv6 address 2606:4700:4400::ac40:9691
 | >
 | > host a1.nx-test.dyslexicfish.net.
 | Host a1.nx-test.dyslexicfish.net. not found: 3(NXDOMAIN)
 | >
 | > host a2.noexist-test.dyslexicfish.net.
 | Host a2.noexist-test.dyslexicfish.net. not found: 3(NXDOMAIN)
 | >

These results are as expected. However, on my own dns servers, which
are authorative for dyslexicfish.net,. i get logged on 2 of them:
[amnesia.dns.dyslexicfish.net. (catnip)
and esparadis.dns.dyslexicfish.net (catwalk)

4 Jul  9 02:39:07 <daemon.info> catnip nsd[99594]: query a1.cname-test.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .
4 Jul  9 02:39:31 <daemon.info> catwalk nsd[14669]: query a1.nx-test.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .
4 Jul  9 02:39:41 <daemon.info> catwalk nsd[14669]: query a1.noexist-test.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .

So, the log message is getting logged despite whether the remote
nameserver exists or allows it.

I wouldn't have expected a log message for any of those cases -
indeed, as an authorative nameserver, I wouldn't have expected
nsd to try to contact the remote servers at all - isn't its job
to just return the DNAME record (and, sure, the corresponding
synthasised CNAME for compatibility purposes) without knowing
or caring what those themselves resolved to? Isn't that the
responsibility of the calling recursive nameserver?

Incidentally, it not just that the recursive dns client may be
trying to coax nsd into doing some recursitivity, even the
following non-resursive lookup direct to the authorative server:

 | > dig -4 +norecurse foo.cname-test.dyslexicfish.net @amnesia.dns.dyslexicfish.net.
 |
 | ; <<>> DiG 9.18.27 <<>> -4 +norecurse foo.cname-test.dyslexicfish.net @amnesia.dns.dyslexicfish.net.
 | ;; global options: +cmd
 | ;; Got answer:
 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54018
 | ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 |
 | ;; OPT PSEUDOSECTION:
 | ; EDNS: version: 0, flags:; udp: 4096
 | ;; QUESTION SECTION:
 | ;foo.cname-test.dyslexicfish.net. IN    A
 |
 | ;; ANSWER SECTION:
 | cname-test.dyslexicfish.net. 86400 IN   DNAME   sourceforge.net.
 | foo.cname-test.dyslexicfish.net. 86400 IN CNAME foo.sourceforge.net.
 |
 | ;; Query time: 137 msec
 | ;; SERVER: 104.238.172.250#53(amnesia.dns.dyslexicfish.net.) (UDP)
 | ;; WHEN: Tue Jul 09 02:07:59 UTC 2024
 | ;; MSG SIZE  rcvd: 119

... gives the correct response, but produces the log entry:

Jul  9 03:07:28 <daemon.info> catnip nsd[99683]: query foo.cname-test.dyslexicfish.net. from 205.166.94.9 refused, no acl matches .

I hope this makes sense. Please let me know if I've misunderstood what you
were saying.

Thanks, Jamie

More information about the nsd-users mailing list