[GH-ISSUE #392] Feature: Recursion Compliance #138

New issue

Closed

opened 2026-02-26 04:34:09 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 04:34:09 +03:00

Owner

Originally created by @mageddo on GitHub (Mar 22, 2023).
Original GitHub issue: https://github.com/mageddo/dns-proxy-server/issues/392

Summary

As DPS is DNS a proxy it actually supports recursion but its DNS answers don't respond that, because of this some DNS clients are giving up and trying the next server as a non recursive DNS isn't capable to solve all internet names.

Goals

To change DNS responses to flag true when the client asks for recursion, so they won't give up and try the next one.

With this adjustment we probably can fix issues like #371

Evidences

Current answer looks like the below:

$ dig -p 8053 postgres-11.docker @127.0.0.1

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> -p 8053 postgres-11.docker @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60170
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 81bbc2f58849c194 (bad)
;; QUESTION SECTION:
;postgres-11.docker.		IN	A

;; ANSWER SECTION:
postgres-11.docker.	30	IN	A	172.157.5.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#8053(127.0.0.1) (UDP)
;; WHEN: Tue Mar 21 21:28:22 -03 2023
;; MSG SIZE  rcvd: 75

But is supposed to answer

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Another not working sample. Because DPS is the first entry on resolv.conf but there is a second nameserver and DPS "don't supports" recursion, then it's bypassed even when it have the right answer.

$ cat /etc/resolv.conf 
nameserver 172.17.0.4 #dps
nameserver 8.8.8.8

$ nslookup host.docker
;; Got recursion not available from 172.17.0.4, trying next server
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find host.docker: NXDOMAIN

Right answer will be got when querying DPS directly

$ nslookup host.docker 172.17.0.4
Server:		172.17.0.4
Address:	172.17.0.4#53

Non-authoritative answer:
Name:	host.docker
Address: 172.157.5.1
Name:	host.docker
Address: 172.157.5.1

Tested DPS version for the bad results: 3.15.0-snapshot

References

I used the following references to understand what recursion is as I didn't find this definition at the RFC.

$ man nslookup | grep norecurse -A1
  norecurse
  This keyword tells the name server to query other servers if it does not have the information. The default is recurse; the abbreviation for this keyword is [no]rec.

Originally created by @mageddo on GitHub (Mar 22, 2023). Original GitHub issue: https://github.com/mageddo/dns-proxy-server/issues/392 ### Summary As DPS is DNS a proxy it actually supports recursion but its DNS answers don't respond that, because of this some DNS clients are giving up and trying the next server as a non recursive DNS isn't capable to solve all internet names. ### Goals To change DNS responses to flag true when the client asks for recursion, so they won't give up and try the next one. With this adjustment we probably can fix issues like #371 ### Evidences Current answer looks like the below: ``` $ dig -p 8053 postgres-11.docker @127.0.0.1 ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> -p 8053 postgres-11.docker @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60170 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 81bbc2f58849c194 (bad) ;; QUESTION SECTION: ;postgres-11.docker. IN A ;; ANSWER SECTION: postgres-11.docker. 30 IN A 172.157.5.2 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#8053(127.0.0.1) (UDP) ;; WHEN: Tue Mar 21 21:28:22 -03 2023 ;; MSG SIZE rcvd: 75 ``` But is supposed to answer ``` ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ``` Another not working sample. Because DPS is the first entry on resolv.conf but there is a second nameserver and DPS "don't supports" recursion, then it's bypassed even when it have the right answer. ```bash $ cat /etc/resolv.conf nameserver 172.17.0.4 #dps nameserver 8.8.8.8 ``` ```bash $ nslookup host.docker ;; Got recursion not available from 172.17.0.4, trying next server Server: 8.8.8.8 Address: 8.8.8.8#53 ** server can't find host.docker: NXDOMAIN ``` Right answer will be got when querying DPS directly ```bash $ nslookup host.docker 172.17.0.4 Server: 172.17.0.4 Address: 172.17.0.4#53 Non-authoritative answer: Name: host.docker Address: 172.157.5.1 Name: host.docker Address: 172.157.5.1 ``` Tested DPS version for the bad results: `3.15.0-snapshot` ### References I used the following references to understand what recursion is as I didn't find this definition at the RFC. ``` $ man nslookup | grep norecurse -A1 norecurse This keyword tells the name server to query other servers if it does not have the information. The default is recurse; the abbreviation for this keyword is [no]rec. ``` * https://dnsmadeeasyblog.medium.com/authoritative-vs-recursive-dns-servers-whats-the-difference-d0e5821c7617 * https://unix.stackexchange.com/questions/108383/why-do-dns-queries-fail-if-the-first-nameserver-is-not-recursive * https://forums.opensuse.org/t/got-recursion-not-available-from-message-with-nslookup/28146/2 * https://www.cloudflare.com/learning/dns/what-is-recursive-dns/