Client side debuggingLowering DNS resolver support costs

Petr Špaček • petr.spacek@nic.cz • 2019-05-10

Motivation

Unable to connect

Firefox can’t establish a connection to the server attest.

The site could be temporarily unavailable or toobusy. Try again in a few moments.

If you are unable to load any pages, check yourcomputer’s network connection.

If your computer or network is protected by afirewall or proxy, make sure that Firefox ispermitted to access the Web.

Try Again

1

234

5

6

7

89 0

Motivation – support for Turris routers

1

234

5

6

7

89 0

Have you tried turning it offand back on again?

NOTIFICATIONS

DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working

independently or it can forward your DNS queries your internet service provider's DNS

resolver.

Connection testHere you can test your internet connection. This test is also useful when you need to check

that your DNS resolving works as expected. Remember to click on the Save button if you

changed your forwarder setting.

Test type Status

DNS

DNSSEC

Use forwarding

DNS Forwarder

Disable DNSSEC

Enable DHCP clients in DNS

Use provider's DNS resolver

Discard changes

Save

Test connection

http://192.168.3.1/foris/config/main/dns/

5/7/19, 2:39 PM

NOTIFICATIONS

DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working

independently or it can forward your DNS queries your internet service provider's DNS

resolver.

Connection testHere you can test your internet connection. This test is also useful when you need to check

that your DNS resolving works as expected. Remember to click on the Save button if you

changed your forwarder setting.

Test type Status

DNS

DNSSEC

Use forwarding

DNS Forwarder

Disable DNSSEC

Enable DHCP clients in DNS

Use provider's DNS resolver

Discard changes

Save

Test connection

http://192.168.3.1/foris/config/main/dns/

5/7/19, 2:39 PM

☒

☒

□

It still doesn’t work ...

● PEBKAC – www.google.cpm

● Client software – DoH!

● Network client – resolver

● Resolver – configuration

● Resolver – software bug

● Network resolver – resolver (forwarding)

● Network resolver – authoritative server

● Authoritative server

With automation (hopefully)

● PEBKAC – www.google.cpm

● Client software – DoH!

● Network client – resolver

● Resolver – configuration

● Resolver – software bug

● Network resolver – resolver (forwarding)

● Network resolver – authoritative server

● Authoritative server

Automating diagnostics

● Inspiration – RFC 8027

● DNSSEC Roadblock Avoidance● Taken couple steps further

● Idea – Auth server with static data

● Direct IP query – network test

● Forwarder – resolution chain

● Local resolver – local configuration

Implementation

● 3 DNS zones with constant data

● test.knot-resolver.cz● nsec.test.knot-resolver.cz● nsec3.test.knot-resolver.cz

● Hosted on CZ anycast

● Checker in Python

● https://gitlab.labs.nic.cz/knot/deckard/● tools/network_check.py● tools/forwarder_check.py

Test zone contenttest.knot-resolver.cz. 3600 TXT "Davku ve me o pln uvitani ..."

weird-type.test.knot-resolver.cz. TYPE20025 \# 4 DEADBEEF

unsigned.nsec3.test.knot-resolver.cz.NS blackhole-1.iana.org.

*.wild.nsec3.test.knot-resolver.cz. A 217.31.192.130

*.wildc.nsec3.test.knot-resolver.cz. CNAME target.wild.nsec3.test. ...

knot-resolver.cz.

tools/network_check.py

● Direct query – network hijack?

a.ns.nic.cz

$ dig @192.0.2.1 . NS

tools/forwarder_check.py

● Asking forwarders from DHCP

● Resolution chain?

a.ns.nic.czforwarder

???

tools/forwarder_check.py

● Asking resolver on the router

● Local config?

a.ns.nic.czforwarder

???

Forwarder checks● delegation_from_nsec3_to_unsigned_zone

● delegation_from_nsec_to_unsigned_zone

● negative_nsec3_answers

● negative_nsec_answers

● nonexistent_delegation_from_nsec

● nonexistent_delegation_from_nsec3

● nonexistent_type_nsec

● nonexistent_type_nsec3

Forwarder checks● returns_RRSIG

● supports_CD

● supports_DNSKEY

● supports_DO

● supports_DS

● supports_EDNS0

● supports_simple_answers

● unknown_rrtype

● zone_version

CLI$ python3 -m pytest -vv forwarder_check.py --forwarder 172.20.20.53

============================= test session starts ===========...collecting ... collected 33 items

forwarder_check.py::test_zone_version[172.20.20.53] PASSEDforwarder_check.py::test_supports_simple_answers[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_simple_answers[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_EDNS0[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_EDNS0[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_DO[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_DO[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_CD[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_CD[172.20.20.53-False] PASSEDforwarder_check.py::test_returns_RRSIG[172.20.20.53-True] PASSEDforwarder_check.py::test_returns_RRSIG[172.20.20.53-False] PASSED...forwarder_check.py::test_nonexistent_type_nsec3[172.20.20.53-False] PASSEDforwarder_check.py::test_nonexistent_type_nsec[172.20.20.53-True] PASSEDforwarder_check.py::test_nonexistent_type_nsec[172.20.20.53-False] PASSED

========================== 33 passed in 0.28 seconds ================

CLI$ python3 -m pytest -vv forwarder_check.py --forwarder 217.31.204.130

forwarder_check.py::test_supports_simple_answers[217.31.204.130-True] FAILED

______________ test_supports_simple_answers[217.31.204.130-False] ___________forwarder = IPv4Address('217.31.204.130'), tcp = Falseexp = 'NOERROR', got = 'SERVFAIL'

Got answer:rcode SERVFAILflags QR RD RA;QUESTIONgood-a.test.knot-resolver.cz. IN A;ANSWER;AUTHORITY;ADDITIONAL

Matching: {'rcode', 'qtype', 'flags', 'opcode', 'qname', 'answer'}rcode NOERRORflags QR RD RA;QUESTIONgood-a.test.knot-resolver.cz. IN A;ANSWERgood-a.test.knot-resolver.cz. 3600 IN A 217.31.192.130;AUTHORITY;ADDITIONAL

Output for scripts (py.test)<testsuite errors="0" failures="25" name="pytest" skipped="0" tests="33" time="0.795">−

<testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="26" name="test_zone_version[217.31.204.130]"time="0.034">

−

<failure message="pydnstest.matchpart.DataMismatch: expected "_version.test.knot-resolver.cz. 3600 IN TXT "1"" got """>+</failure><system-out>+ </system-out>

</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="46"name="test_supports_simple_answers[217.31.204.130-True]" time="0.009">

+

</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="46"name="test_supports_simple_answers[217.31.204.130-False]" time="0.003">

+

</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="58"name="test_supports_EDNS0[217.31.204.130-True]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="58"name="test_supports_EDNS0[217.31.204.130-False]" time="0.003"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="68" name="test_supports_DO[217.31.204.130-True]" time="0.014"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="68" name="test_supports_DO[217.31.204.130-False]" time="0.003"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="79" name="test_supports_CD[217.31.204.130-True]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="79" name="test_supports_CD[217.31.204.130-False]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="103"name="test_returns_RRSIG[217.31.204.130-True]" time="0.005">

+

Web UI for expert users

Web UI for expert users

Difficulties – level 1

● Resolvers answer differently

● NOERROR AUTHORITY● AA● ...● Ignore differences => pydnstest/matchpart.py

● UDP vs. TCP

● IPv4 vs. IPv6

● Many tests => parallelization

Difficulties – level 2

● Packet size >= ?

● Probabilistic issues

● Some query types (TYPE???)

● Some query names

● ...

Next step

NOTIFICATIONS

DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working

independently or it can forward your DNS queries your internet service provider's DNS

resolver.

Connection testHere you can test your internet connection. This test is also useful when you need to check

that your DNS resolving works as expected. Remember to click on the Save button if you

changed your forwarder setting.

Test type Status

DNS

DNSSEC

Use forwarding

DNS Forwarder

Disable DNSSEC

Enable DHCP clients in DNS

(hint: your network does not work properly with forwarding)

Use provider's DNS resolver

Discard changes

Save

Test connection

http://192.168.3.1/foris/config/main/dns/

5/7/19, 4:32 PM

☒

□

□

Try it, comment ...

● git clone https://gitlab.labs.nic.cz/knot/deckard/

● $ pip install --user -r deckard/requirements.txt

● $ cd deckard/tools

● $ py.test network_check.py --html=report.html

● $ py.test forwarder_check.py--forwarder=1.1.1.1 --html=report.html

● https://gitlab.labs.nic.cz/knot/deckard/issues/new