Skip to content

Referral is sometimes sent in place of answer with DNS64 enabled

In my setup, it happens from time to time that Knot Resolver provides wrong answer to a DoH client querying A record of an IPv4-only name when DNS64 module is active. It happens only when these conditions are met:

  • queried name is an apex name with A but no AAAA record
  • dns64 module is loaded
  • queried rrset nor the nsset of the zone is in cache
  • client is using doh2 and asking concurrently for A and AAAA record (the queries can come via completely independent HTTP/2 sessions though)

If all these conditions are fulfilled, then Knot resolver sometimes answers the A query with referral received from parent zone of the queried name. I was able to reproduce the issue on these names:

  • github.com
  • duckduckgo.com
  • liberec.cz
  • ipv4only.arpa

Steps to reproduce

I reproduce the issue on a Knot Resolver 5.7.1 installed from EPEL repository on Fedora 39 with this configuration:

(cache size is set to lowest possible value to increase the probability of hitting the issue)

modules = {'dns64'}
net.listen('::1', 443, { kind = 'doh2' })
cache.size = 32768
user('knot-resolver','knot-resolver')

I use this script to keep repeating queries using doh utility until A records are missing from the response. That happens at most after ca. 15 minutes:

#!/bin/bash

domain=${1-github.com}

# Enable debugging
socat - unix-connect:/run/knot-resolver/control/1 <<EOF
policy.add(policy.suffix(policy.DEBUG_ALWAYS, policy.todnames({'$domain'})))
EOF

while true;
do
        date
        out="$(doh -k $domain https://[::1]/dns-query)";
        echo "$out";
        grep -q "^A:" <<<"$out" || break;
        sleep 1;
done
date

I was not able to reproduce the issue using kdig tool, possibly because it sends queries sequentially and my shell was not fast enough to spawn second instance of kdig before the first one finishes.

Packet capture of the issue

I am attaching a packet capture together with TLS key log, as well as kreds syslogs of the issue demonstrated when querying ipv4only.arpa. The issue is very well visible with Wireshark filter set to: lower(dns.qry.name) == "ipv4only.arpa" Packets 31 - 188 show correct behavior, packets 256 - 422 show the issue, particularly packet 359 which contains referral from packet 354 instead of answer from packet 417:

No.     Protocol Info
     31 DoH      Standard query 0x0000 A ipv4only.arpa
     36 DoH      Standard query 0x0000 AAAA ipv4only.arpa
     65 DNS      Standard query 0x53fb AAAA ipV4oNlY.arpa OPT
     66 DNS      Standard query 0x9e3d A iPv4onLY.ARPA OPT
     67 DNS      Standard query response 0x53fb AAAA ipV4oNlY.arpa NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org NSEC iris.arpa RRSIG OPT
     69 DNS      Standard query response 0x9e3d A iPv4onLY.ARPA NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org NSEC iris.arpa RRSIG OPT
    108 DNS      Standard query 0xb804 AAAA iPV4oNLY.aRpa OPT
    124 DNS      Standard query response 0xb804 AAAA iPV4oNLY.aRpa SOA sns.dns.icann.org OPT
    142 DNS      Standard query 0x4de9 A Ipv4onlY.aRPa OPT
    144 DNS      Standard query response 0x4de9 A Ipv4onlY.aRPa NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org NSEC iris.arpa RRSIG OPT
    174 DNS      Standard query 0xc998 A IpV4oNly.ARPa OPT
    179 DNS      Standard query response 0xc998 A IpV4oNly.ARPa A 192.0.0.170 A 192.0.0.171 NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org OPT
    184 DoH      Standard query response 0x0000 AAAA ipv4only.arpa AAAA 64:ff9b::c000:aa AAAA 64:ff9b::c000:ab SOA sns.dns.icann.org
    188 DoH      Standard query response 0x0000 A ipv4only.arpa A 192.0.0.170 A 192.0.0.171
    256 DoH      Standard query 0x0000 A ipv4only.arpa
    261 DoH      Standard query 0x0000 AAAA ipv4only.arpa
    287 DNS      Standard query 0x23b6 AAAA ipV4oNlY.arPa OPT
    288 DNS      Standard query 0x8503 A IpV4ONLy.ARpA OPT
    292 DNS      Standard query response 0x23b6 AAAA ipV4oNlY.arPa NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org NSEC iris.arpa RRSIG OPT
    293 DNS      Standard query response 0x8503 A IpV4ONLy.ARpA NS b.iana-servers.net NS ns.icann.org NS a.iana-servers.net NS c.iana-servers.net NSEC iris.arpa RRSIG OPT
    328 DNS      Standard query 0x4ab4 AAAA iPV4ONLy.arpa OPT
    330 DNS      Standard query response 0x4ab4 AAAA iPV4ONLy.arpa SOA sns.dns.icann.org OPT
    350 DNS      Standard query 0x17fa A ipv4ONLY.ARpa OPT
    354 DNS      Standard query response 0x17fa A ipv4ONLY.ARpa NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org NSEC iris.arpa RRSIG OPT
    359 DoH      Standard query response 0x0000 A ipv4only.arpa NS ns.icann.org NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net
    407 DNS      Standard query 0x0f40 A IPv4oNly.arpA OPT
    417 DNS      Standard query response 0x0f40 A IPv4oNly.arpA A 192.0.0.170 A 192.0.0.171 NS a.iana-servers.net NS b.iana-servers.net NS c.iana-servers.net NS ns.icann.org OPT
    422 DoH      Standard query response 0x0000 AAAA ipv4only.arpa AAAA 64:ff9b::c000:aa AAAA 64:ff9b::c000:ab SOA sns.dns.icann.org
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information