Re: [reSIProcate] ares doesn't send query to DNS servers of other subnets
Are you sure we aren't just dealing with an issue around which order
servers are tried?
It violates the DNS specifications to ask another server once you get
a "no such name" answer.
(split DNS is a underspecified hack of the DNS system. The only sane
resolver strategy in the
face of split DNS that I've seen so far is to make sure your
resolving servers are listed in the order
that's most important to you).
To go down the path you propose will take us into very proprietary
behavior, and we'd eventually
have to argue about what to do if the same name exists with different
answers in two different
private DNS spaces (You have a vpn to A and to B and they both answer
queries for name N, but
with different results - what are you going to do?)
Before we go there, lets make sure we're honoring that most important
order already.
RjS
On Jul 13, 2007, at 8:14 PM, Van C. Nguyen wrote:
Below is a description of a limitation of ares and a proposed
solution. This
limitation I do not believe is limited to just Windows.
1.0) Brief description
When a host is connected to multiple subnets, via multiple
adapters: be they
physical or virtual, ares will only attempt to connect/send query
to the
first DNS server in its list of servers (ares_channeldata.servers),
while
not attempting the others when the query in question fails with 'No
such
name' (reply-code of 3, 0x0011). Ares will only attempt subsequent DNS
servers - be they secondary of the one just tried or primary to the
other
subnets - if it fails to connect to the current server or if the
request
times out.
The problem just described is most prevalent when one tries to
resolve a
hostname in the private network via VPN.
2.0) A little more detailed
Suppose you have the setup below with the order of
"Connections" (the order
of DNS servers to try) as follows:
Local LAN adapter
primary DNS server: 192.168.0.90
secondary DNS server: 192.168.0.91
subnet-mask: 255.255.0.0
VPN adapter
primary DNS server: 10.20.0.1
secondary DNS server: 10.20.0.2
subnet-mask: 255.255.255.0
- dns servers contain records for private host internal.example.com
The order of adapters (the subnet's DNS server to be used for name
resolution) can be viewed in Windows under:
'Control Panel | Network Connections | Advanced | Advanced Settings |
Adapters and Bindings'.
With the setup above, the ares' list of servers
(ares_channeldata.servers)
are as follows:
192.168.0.90, 192.168.0.91, 10.20.0.1, 10.20.0.2
Should a UA wants to resolve the target internal.example.com to
send the
REGISTER request:
* ares will send the DNS query to 192.168.0.90
* server will respond with 'No such name'
* ares will halt the operation and resip 503 the REGISTER request.
Other applications such as Firefox and IE would send the query to
the DNS
server associated with the adapter/subnet first in the list, then
should
that fail, try the second and so on. One can easily verify this by
snooping
on the two adapters.
3.0) Proposed solution
* Ares (struct server_state) should associate each DNS servers with
its
subnet, by way of its subnet address (subnet mask applied to DNS
server IP,
for V4 and subnet address bit range for V6 (2002::/64).
* For each subnets/adapters, there's a set of DNS servers: be it
primary,
secondary or tertiary. For each set, one and only one of the
servers will be
tried should the query response 'No such name' be received. All the
sets are
tried until, of course, success or exhausted.
* Save the subnet address in ares' server_state structure.
* Check for rcode of 3 in process_answer and call the new function
'next_server_of_subnet_which_we_havent_visited_before' or something
shorter.
Will post a patch sometime next week.
Van.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.4/898 - Release Date:
7/12/2007
4:08 PM
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel