Improve name matching in DNS answers (#11474)
__Motivation__ Upon receiving a DNS answer, we match whether the name in the question matches the name in the record. Some DNS servers we have encountered append a search domain to the record name which fails this match. eg: for question name `netty` and search domains `io` and `com`, we will do 2 queries: `netty.io.` and `netty.com.`, if the answer for `netty.io` contains `netty.com` then we ignore this record. __Modification__ If the name in the record does not match the name in the question, append configured search domains to the question name to see if it matches the record name. __Result__ Records names with appended search domains are still returned as valid answers.
This commit is contained in:
parent
0c411859eb
commit
ef7224480c
@ -39,6 +39,8 @@ import io.netty.util.concurrent.Promise;
|
||||
import io.netty.util.internal.PlatformDependent;
|
||||
import io.netty.util.internal.StringUtil;
|
||||
import io.netty.util.internal.ThrowableUtil;
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.net.InetSocketAddress;
|
||||
@ -60,6 +62,7 @@ import static java.lang.Math.min;
|
||||
import static java.util.Objects.requireNonNull;
|
||||
|
||||
abstract class DnsResolveContext<T> {
|
||||
private static final InternalLogger logger = InternalLoggerFactory.getInstance(DnsResolveContext.class);
|
||||
|
||||
private static final RuntimeException NXDOMAIN_QUERY_FAILED_EXCEPTION =
|
||||
DnsResolveContextException.newStatic("No answer found and NXDOMAIN response code returned",
|
||||
@ -771,12 +774,41 @@ abstract class DnsResolveContext<T> {
|
||||
} while (resolved != null);
|
||||
|
||||
if (resolved == null) {
|
||||
continue;
|
||||
assert questionName.isEmpty() || questionName.charAt(questionName.length() - 1) == '.';
|
||||
|
||||
for (String searchDomain : parent.searchDomains()) {
|
||||
if (searchDomain.isEmpty()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
final String fqdn;
|
||||
if (searchDomain.charAt(searchDomain.length() - 1) == '.') {
|
||||
fqdn = questionName + searchDomain;
|
||||
} else {
|
||||
fqdn = questionName + searchDomain + '.';
|
||||
}
|
||||
if (recordName.equals(fqdn)) {
|
||||
resolved = recordName;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (resolved == null) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Ignoring record {} as it contains a different name than the " +
|
||||
"question name [{}]. Cnames: {}, Search domains: {}",
|
||||
r.toString(), questionName, cnames, parent.searchDomains());
|
||||
}
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
final T converted = convertRecord(r, hostname, additionals, parent.executor());
|
||||
if (converted == null) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Ignoring record {} as the converted record is null. hostname [{}], Additionals: {}",
|
||||
r.toString(), hostname, additionals);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -84,7 +84,6 @@ import java.nio.ByteBuffer;
|
||||
import java.nio.charset.Charset;
|
||||
import java.util.ArrayDeque;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
@ -109,6 +108,7 @@ import java.util.concurrent.atomic.AtomicBoolean;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
import org.junit.jupiter.api.Timeout;
|
||||
import org.junit.jupiter.api.function.Executable;
|
||||
|
||||
import static io.netty.handler.codec.dns.DnsRecordType.A;
|
||||
import static io.netty.handler.codec.dns.DnsRecordType.AAAA;
|
||||
@ -117,6 +117,8 @@ import static io.netty.handler.codec.dns.DnsRecordType.NAPTR;
|
||||
import static io.netty.handler.codec.dns.DnsRecordType.SRV;
|
||||
import static io.netty.resolver.dns.DnsNameResolver.DEFAULT_RESOLVE_ADDRESS_TYPES;
|
||||
import static io.netty.resolver.dns.DnsServerAddresses.sequential;
|
||||
import static io.netty.resolver.dns.TestDnsServer.newARecord;
|
||||
import static java.util.Arrays.asList;
|
||||
import static java.util.Collections.singletonList;
|
||||
import static org.assertj.core.api.Assumptions.assumeThat;
|
||||
import static org.hamcrest.MatcherAssert.assertThat;
|
||||
@ -124,6 +126,7 @@ import static org.hamcrest.Matchers.greaterThan;
|
||||
import static org.hamcrest.Matchers.hasSize;
|
||||
import static org.hamcrest.Matchers.instanceOf;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.startsWith;
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||
import static org.junit.jupiter.api.Assertions.assertNotEquals;
|
||||
@ -144,7 +147,7 @@ public class DnsNameResolverTest {
|
||||
// $ curl -O https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
|
||||
// $ unzip -o top-1m.csv.zip top-1m.csv
|
||||
// $ head -100 top-1m.csv | cut -d, -f2 | cut -d/ -f1 | while read L; do echo '"'"$L"'",'; done > topsites.txt
|
||||
private static final Set<String> DOMAINS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
|
||||
private static final Set<String> DOMAINS = Collections.unmodifiableSet(new HashSet<>(asList(
|
||||
"google.com",
|
||||
"youtube.com",
|
||||
"facebook.com",
|
||||
@ -285,7 +288,7 @@ public class DnsNameResolverTest {
|
||||
static {
|
||||
EXCLUSIONS_RESOLVE_AAAA.addAll(EXCLUSIONS_RESOLVE_A);
|
||||
EXCLUSIONS_RESOLVE_AAAA.addAll(DOMAINS);
|
||||
EXCLUSIONS_RESOLVE_AAAA.removeAll(Arrays.asList(
|
||||
EXCLUSIONS_RESOLVE_AAAA.removeAll(asList(
|
||||
"google.com",
|
||||
"facebook.com",
|
||||
"youtube.com",
|
||||
@ -379,6 +382,12 @@ public class DnsNameResolverTest {
|
||||
|
||||
private static DnsNameResolverBuilder newResolver(boolean decodeToUnicode,
|
||||
DnsServerAddressStreamProvider dnsServerAddressStreamProvider) {
|
||||
return newResolver(decodeToUnicode, dnsServerAddressStreamProvider, dnsServer);
|
||||
}
|
||||
|
||||
private static DnsNameResolverBuilder newResolver(boolean decodeToUnicode,
|
||||
DnsServerAddressStreamProvider dnsServerAddressStreamProvider,
|
||||
TestDnsServer dnsServer) {
|
||||
DnsNameResolverBuilder builder = new DnsNameResolverBuilder(group.next())
|
||||
.dnsQueryLifecycleObserverFactory(new TestRecursiveCacheDnsQueryLifecycleObserverFactory())
|
||||
.channelType(NioDatagramChannel.class)
|
||||
@ -586,7 +595,7 @@ public class DnsNameResolverTest {
|
||||
DnsNameResolver resolver = newNonCachedResolver(ResolvedAddressTypes.IPV4_ONLY).build();
|
||||
try {
|
||||
List<InetAddress> addrs = resolver.resolveAll(inetHost).syncUninterruptibly().getNow();
|
||||
assertEquals(Arrays.asList(
|
||||
assertEquals(asList(
|
||||
SocketUtils.allAddressesByName(inetHost)), addrs);
|
||||
} finally {
|
||||
resolver.close();
|
||||
@ -1348,7 +1357,7 @@ public class DnsNameResolverTest {
|
||||
|
||||
List<InetAddress> resolvedAll = resolver.resolveAll("netty.com").syncUninterruptibly().getNow();
|
||||
List<InetAddress> expected = types == ResolvedAddressTypes.IPV4_PREFERRED ?
|
||||
Arrays.asList(ipv4InetAddress, ipv6InetAddress) : Arrays.asList(ipv6InetAddress, ipv4InetAddress);
|
||||
asList(ipv4InetAddress, ipv6InetAddress) : asList(ipv6InetAddress, ipv4InetAddress);
|
||||
assertEquals(expected, resolvedAll);
|
||||
} finally {
|
||||
nonCompliantDnsServer.stop();
|
||||
@ -1361,7 +1370,7 @@ public class DnsNameResolverTest {
|
||||
final String hostname2 = "some2.record.netty.io";
|
||||
|
||||
final TestDnsServer dnsServerAuthority = new TestDnsServer(new HashSet<>(
|
||||
Arrays.asList(hostname, hostname2)));
|
||||
asList(hostname, hostname2)));
|
||||
dnsServerAuthority.start();
|
||||
|
||||
TestDnsServer dnsServer = new RedirectingTestDnsServer(hostname,
|
||||
@ -1498,17 +1507,20 @@ public class DnsNameResolverTest {
|
||||
// This is used to simulate a query timeout...
|
||||
final DatagramSocket socket = new DatagramSocket(new InetSocketAddress(0));
|
||||
|
||||
final TestDnsServer dnsServerAuthority = new TestDnsServer(question -> {
|
||||
if (question.getDomainName().equals(expected.getHostName())) {
|
||||
return Collections.singleton(TestDnsServer.newARecord(
|
||||
expected.getHostName(), expected.getHostAddress()));
|
||||
final TestDnsServer dnsServerAuthority = new TestDnsServer(new RecordStore() {
|
||||
@Override
|
||||
public Set<ResourceRecord> getRecords(QuestionRecord question) {
|
||||
if (question.getDomainName().equals(expected.getHostName())) {
|
||||
return Collections.singleton(newARecord(
|
||||
expected.getHostName(), expected.getHostAddress()));
|
||||
}
|
||||
return Collections.emptySet();
|
||||
}
|
||||
return Collections.emptySet();
|
||||
});
|
||||
dnsServerAuthority.start();
|
||||
|
||||
TestDnsServer redirectServer = new TestDnsServer(new HashSet<>(
|
||||
Arrays.asList(expected.getHostName(), ns1Name, ns2Name))) {
|
||||
asList(expected.getHostName(), ns1Name, ns2Name))) {
|
||||
@Override
|
||||
protected DnsMessage filterMessage(DnsMessage message) {
|
||||
for (QuestionRecord record: message.getQuestionRecords()) {
|
||||
@ -1642,7 +1654,7 @@ public class DnsNameResolverTest {
|
||||
InetAddress.getByAddress(ns1Name, new byte[] { 10, 0, 0, 4 }),
|
||||
DefaultDnsServerAddressStreamProvider.DNS_PORT);
|
||||
|
||||
TestDnsServer redirectServer = new TestDnsServer(new HashSet<>(Arrays.asList(hostname, ns1Name))) {
|
||||
TestDnsServer redirectServer = new TestDnsServer(new HashSet<>(asList(hostname, ns1Name))) {
|
||||
@Override
|
||||
protected DnsMessage filterMessage(DnsMessage message) {
|
||||
for (QuestionRecord record: message.getQuestionRecords()) {
|
||||
@ -1661,7 +1673,7 @@ public class DnsNameResolverTest {
|
||||
}
|
||||
|
||||
private ResourceRecord newARecord(InetSocketAddress address) {
|
||||
return TestDnsServer.newARecord(address.getHostName(), address.getAddress().getHostAddress());
|
||||
return newARecord(address.getHostName(), address.getAddress().getHostAddress());
|
||||
}
|
||||
};
|
||||
redirectServer.start();
|
||||
@ -1770,7 +1782,8 @@ public class DnsNameResolverTest {
|
||||
final InetSocketAddress ns5Address = new InetSocketAddress(
|
||||
InetAddress.getByAddress(ns2Name, new byte[] { 10, 0, 0, 5 }),
|
||||
DefaultDnsServerAddressStreamProvider.DNS_PORT);
|
||||
TestDnsServer redirectServer = new TestDnsServer(new HashSet<>(Arrays.asList(hostname, ns1Name))) {
|
||||
|
||||
TestDnsServer redirectServer = new TestDnsServer(new HashSet<>(asList(hostname, ns1Name))) {
|
||||
@Override
|
||||
protected DnsMessage filterMessage(DnsMessage message) {
|
||||
for (QuestionRecord record: message.getQuestionRecords()) {
|
||||
@ -1791,7 +1804,7 @@ public class DnsNameResolverTest {
|
||||
}
|
||||
|
||||
private ResourceRecord newARecord(InetSocketAddress address) {
|
||||
return TestDnsServer.newARecord(address.getHostName(), address.getAddress().getHostAddress());
|
||||
return newARecord(address.getHostName(), address.getAddress().getHostAddress());
|
||||
}
|
||||
};
|
||||
redirectServer.start();
|
||||
@ -1886,6 +1899,71 @@ public class DnsNameResolverTest {
|
||||
testNsLoopFailsResolve(NoopAuthoritativeDnsServerCache.INSTANCE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRRNameContainsDifferentSearchDomainNoDomains() {
|
||||
CompletionException e = assertThrows(CompletionException.class, new Executable() {
|
||||
@Override
|
||||
public void execute() throws Throwable {
|
||||
testRRNameContainsDifferentSearchDomain(Collections.emptyList(), "netty");
|
||||
}
|
||||
});
|
||||
assertThat(e.getCause(), instanceOf(UnknownHostException.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRRNameContainsDifferentSearchDomainEmptyExtraDomain() throws Exception {
|
||||
testRRNameContainsDifferentSearchDomain(asList("io", ""), "netty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRRNameContainsDifferentSearchDomainSingleExtraDomain() throws Exception {
|
||||
testRRNameContainsDifferentSearchDomain(asList("io", "foo.dom"), "netty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testRRNameContainsDifferentSearchDomainMultiExtraDomains() throws Exception {
|
||||
testRRNameContainsDifferentSearchDomain(asList("com", "foo.dom", "bar.dom"), "google");
|
||||
}
|
||||
|
||||
private static void testRRNameContainsDifferentSearchDomain(final List<String> searchDomains, String unresolved)
|
||||
throws Exception {
|
||||
final String ipAddrPrefix = "1.2.3.";
|
||||
TestDnsServer searchDomainServer = new TestDnsServer(new RecordStore() {
|
||||
@Override
|
||||
public Set<ResourceRecord> getRecords(QuestionRecord questionRecord) {
|
||||
Set<ResourceRecord> records = new HashSet<ResourceRecord>(searchDomains.size());
|
||||
final String qName = questionRecord.getDomainName();
|
||||
for (String searchDomain : searchDomains) {
|
||||
if (qName.endsWith(searchDomain)) {
|
||||
continue;
|
||||
}
|
||||
final ResourceRecord rr = newARecord(qName + '.' + searchDomain,
|
||||
ipAddrPrefix + ThreadLocalRandom.current().nextInt(1, 10));
|
||||
logger.info("Adding A record: " + rr);
|
||||
records.add(rr);
|
||||
}
|
||||
return records;
|
||||
}
|
||||
});
|
||||
searchDomainServer.start();
|
||||
|
||||
final DnsNameResolver resolver = newResolver(false, null, searchDomainServer)
|
||||
.searchDomains(searchDomains)
|
||||
.build();
|
||||
|
||||
try {
|
||||
final List<InetAddress> addresses = resolver.resolveAll(unresolved).sync().get();
|
||||
assertThat(addresses, Matchers.<InetAddress>hasSize(greaterThan(0)));
|
||||
for (InetAddress address : addresses) {
|
||||
assertThat(address.getHostName(), startsWith(unresolved));
|
||||
assertThat(address.getHostAddress(), startsWith(ipAddrPrefix));
|
||||
}
|
||||
} finally {
|
||||
resolver.close();
|
||||
searchDomainServer.stop();
|
||||
}
|
||||
}
|
||||
|
||||
private void testNsLoopFailsResolve(AuthoritativeDnsServerCache authoritativeDnsServerCache) throws Exception {
|
||||
final String domain = "netty.io";
|
||||
final String ns1Name = "ns1." + domain;
|
||||
|
Loading…
Reference in New Issue
Block a user