Skip to content

doggo supports osx scoped queries on accident, but doesn't report correctly #49

Open
Open
doggo supports osx scoped queries on accident, but doesn't report correctly#49
@logikal

Description

@logikal
logikal
opened on Jul 28, 2022

I use OSX's DNS configuration for scoped queries. I use this so my work-related private/internal domains are resolved using DNS servers in our infrastructure, but the rest of the internet is resolved using the "normal" resolvers.

It looks like doggo is doing a lookup that respects the scoped query functionality in osx, but it's happening transparently and causing doggo to "lie" about the origin of the answer. This suggests that resolver-specific queries are leaking to other resolvers silently.

doggo reports that the normal resolvers are answering for domains that should be responding with NXDOMAIN, and don't list the resolver for the scoped query at all:

> doggo -t cname logikal.test.record.foo.tld
NAME                                          	TYPE 	CLASS	TTL	ADDRESS                                                                	NAMESERVER
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	192.168.1.87:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	192.168.1.1:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	8.8.8.8:53
logikal.test.record.foo.tld	CNAME	IN   	30s	lb-name-abcd1234-1234567890.us-east-1.elb.amazonaws.com.	1.1.1.1:53

# those resolvers all actually report NXDOMAIN for the record
> doggo @udp://8.8.8.8 -t cname sean.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	8.8.8.8:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://192.168.1.87 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER     	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	192.168.1.87:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://1.1.1.1 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	1.1.1.1:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

> doggo @udp://192.168.1.1 -t cname logikal.test.record.foo.tld
NAME           	TYPE	CLASS	TTL 	ADDRESS                       	NAMESERVER    	STATUS
foo.tld.	SOA 	IN   	900s	ns-1371.awsdns-43.org.        	192.168.1.1:53	NXDOMAIN
               	    	     	    	awsdns-hostmaster.amazon.com.
               	    	     	    	1 7200 900 1209600 86400

# but the resolver for the scoped query does return the right answer for the query.
doggo @udp://10.100.0.2 logikal.test.record.foo.tld
NAME                                                                 	TYPE 	CLASS	TTL 	ADDRESS                                                              	NAMESERVER
logikal.test.record.foo.tld.                                     	CNAME	IN   	60s 	*.ssl.hub.foo.tld.                                              	10.100.0.2:53
*.ssl.hub.foo.tld.                                              	CNAME	IN   	300s	nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	10.100.0.2:53
nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	A    	IN   	60s 	1.2.3.4                                                        	10.100.0.2:53
nlb-1234567890abcedf.elb.us-east-1.amazonaws.com.	A    	IN   	60s 	1.2.3.4                                                         	10.100.0.2:53

My resolver configuration

# some irrelevant resolvers removed
scutil --dns
DNS configuration

resolver #1
  search domain[0] : foo.tld (my work domain)
  search domain[3] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 13 (en4)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : foo.tld
  nameserver[0] : 10.100.0.2
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 102600

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 13 (en4)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : hq (my LAN search domain)
  nameserver[0] : 192.168.1.87
  nameserver[1] : 192.168.1.1
  nameserver[2] : 8.8.8.8
  nameserver[3] : 1.1.1.1
  if_index : 15 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  search domain[0] : foo.tld (my work domain)
  nameserver[0] : 10.100.0.2
  if_index : 26 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions