forwarding through Google's public DNS breaks (when validating)
Hi,
I am consistently getting a SERVFAIL error when trying to resolve platform.openai.com, even after restarting kresd:
$ dig A platform.openai.com
; <<>> DiG 9.18.16 <<>> A platform.openai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37799
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 12 (NSEC Missing): (V5T7: forwarded EDE code)
;; QUESTION SECTION:
;platform.openai.com. IN A
;; ANSWER SECTION:
platform.openai.com. 96 IN CNAME platform.api.openai.com.
platform.api.openai.com. 16 IN CNAME platform.openai.com.cdn.cloudflare.net.
;; Query time: 400 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Sep 05 01:40:34 WEST 2023
;; MSG SIZE rcvd: 157My kresd config:
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('127.0.0.1', 53, { kind = 'dns', freebind = true })
net.ipv6 = false
policy.add(policy.suffix(policy.DENY, { todname('use-application-dns.net') }))
policy.add(policy.suffix(policy.DEBUG_ALWAYS, policy.todnames({'platform.openai.com'})))
policy.add(policy.all(policy.TLS_FORWARD({
{ '8.8.8.8', hostname='dns.google', ca_file='/etc/ssl/certs/ca-bundle.crt' },
{ '8.8.4.4', hostname='dns.google', ca_file='/etc/ssl/certs/ca-bundle.crt' },
{ '2001:4860:4860::8888', hostname='dns.google', ca_file='/etc/ssl/certs/ca-bundle.crt' },
{ '2001:4860:4860::8844', hostname='dns.google', ca_file='/etc/ssl/certs/ca-bundle.crt' },
})))I've attached kresd's syslog output for this query: debug.log
Note that querying the upstream servers directly seems to work fine, i.e. running dig A platform.openai.com @8.8.8.8 returns status: NOERROR and a couple of IP addresses.
Trying to resolve chat.openai.com also fails, but I haven't noticed any other query failures, i.e. kresd seems to be working fine otherwise.
Edited by Ricardo Correia