< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] ares doesn't send query to DNS servers of other subnets


Are you sure we aren't just dealing with an issue around which order servers are tried?

It violates the DNS specifications to ask another server once you get a "no such name" answer. (split DNS is a underspecified hack of the DNS system. The only sane resolver strategy in the face of split DNS that I've seen so far is to make sure your resolving servers are listed in the order
 that's most important to you).

To go down the path you propose will take us into very proprietary behavior, and we'd eventually have to argue about what to do if the same name exists with different answers in two different private DNS spaces (You have a vpn to A and to B and they both answer queries for name N, but
with different results - what are you going to do?)

Before we go there, lets make sure we're honoring that most important order already.

RjS

On Jul 13, 2007, at 8:14 PM, Van C. Nguyen wrote:

Below is a description of a limitation of ares and a proposed solution. This
limitation I do not believe is limited to just Windows.


1.0) Brief description

When a host is connected to multiple subnets, via multiple adapters: be they physical or virtual, ares will only attempt to connect/send query to the first DNS server in its list of servers (ares_channeldata.servers), while not attempting the others when the query in question fails with 'No such
name' (reply-code of 3, 0x0011). Ares will only attempt subsequent DNS
servers - be they secondary of the one just tried or primary to the other subnets - if it fails to connect to the current server or if the request
times out.

The problem just described is most prevalent when one tries to resolve a
hostname in the private network via VPN.


2.0) A little more detailed

Suppose you have the setup below with the order of "Connections" (the order
of DNS servers to try) as follows:

Local LAN adapter
   primary DNS server: 192.168.0.90
   secondary DNS server: 192.168.0.91
   subnet-mask: 255.255.0.0

VPN adapter
   primary DNS server: 10.20.0.1
   secondary DNS server: 10.20.0.2
   subnet-mask: 255.255.255.0
   - dns servers contain records for private host internal.example.com

The order of adapters (the subnet's DNS server to be used for name
resolution) can be viewed in Windows under:
'Control Panel | Network Connections | Advanced | Advanced Settings |
Adapters and Bindings'.

With the setup above, the ares' list of servers (ares_channeldata.servers)
are as follows:
192.168.0.90, 192.168.0.91, 10.20.0.1, 10.20.0.2

Should a UA wants to resolve the target internal.example.com to send the
REGISTER request:
* ares will send the DNS query to 192.168.0.90
* server will respond with 'No such name'
* ares will halt the operation and resip 503 the REGISTER request.

Other applications such as Firefox and IE would send the query to the DNS server associated with the adapter/subnet first in the list, then should that fail, try the second and so on. One can easily verify this by snooping
on the two adapters.


3.0) Proposed solution

* Ares (struct server_state) should associate each DNS servers with its subnet, by way of its subnet address (subnet mask applied to DNS server IP,
for V4 and subnet address bit range for V6 (2002::/64).

* For each subnets/adapters, there's a set of DNS servers: be it primary, secondary or tertiary. For each set, one and only one of the servers will be tried should the query response 'No such name' be received. All the sets are
tried until, of course, success or exhausted.

* Save the subnet address in ares' server_state structure.

* Check for rcode of 3 in process_answer and call the new function
'next_server_of_subnet_which_we_havent_visited_before' or something shorter.

Will post a patch sometime next week.

Van.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.4/898 - Release Date: 7/12/2007
4:08 PM


_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel