mirror of
https://github.com/hickory-dns/hickory-dns.git
synced 2026-04-25 03:05:51 +03:00
[GH-ISSUE #2730] Question: allow response from different nameserver #1052
Labels
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/hickory-dns#1052
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @JuxhinDB on GitHub (Jan 19, 2025).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2730
What is the question?
Thanks for this project! We're using
hickory-dnsto power the name resolution for Have I Been Squatted. We have many instances where we hit google nameservers on 8.8.8.8:53 and receive responses from 8.8.4.4:53, which results in warnings such as:The warning is deep in the library, so I'm not sure how feasible it is to pass some context to allow bypassing this check.
github.com/hickory-dns/hickory-dns@0b88f271c4/crates/proto/src/udp/udp_client_stream.rs (L304-L312)Happy to get some input on it, and if so will try to open a PR to resolve it.
@bluejekyll commented on GitHub (Jan 19, 2025):
huh, I've never seen google respond from a different IP than the original request. Is this causing resolution failures?
@djc commented on GitHub (Jan 20, 2025):
Would be good to find some documentation from Google on this behavior -- it seems quite surprising.
What version are you using? Please make sure to test this against current main or the latest 0.25.0-alpha.4.
@JuxhinDB commented on GitHub (Jan 24, 2025):
Right, apologies folks for the late reply. Added some traces surrounding the lookup and it is seems to only occur when we get an
NXDOMAIN(i.e., non-existent).This is quite a common use-case for us (in fact one of the features). I'll try to find some time to add more introspection into hickory to see if I can narrow it down further, as I'd like to correlate exactly queries are failing.
@bluejekyll commented on GitHub (Mar 2, 2025):
I'm not sure what to do with this. I really don't like the idea of supporting responses from different upstream servers, that could increase the chances of spoofed responses being accepted. Could this be a bug at Google? If not, I'd like to see something that supports changing the way that we trust responses in cases like this...
@JuxhinDB commented on GitHub (Mar 3, 2025):
Apologies I haven't followed up from my end. Will try to make some time this evening and see if I can recreate a minimal test-bed. As for the behaviour, I agree. And to clarify this is only occurring with 8.8.8.8/8.8.4.4.
@Undef-a commented on GitHub (Jun 8, 2025):
I've also seen this log, but in my case between 8.8.8.8 and 1.1.1.1 as well as local resolvers. The key factor seems to be having multiple DNS servers enabled at once in /etc/resolv.conf and pulling hickory-resolver using
read_system_conf().@djc commented on GitHub (Jun 12, 2025):
@Undef-a if you have a way to (somewhat) reliably reproduce this, would be great!
@Undef-a commented on GitHub (Jun 14, 2025):
It's not simple and I'd say it's somewhat more than reliable, but the following code reproduces this for me maybe 2-3 runs out of 10.
The key bits are commented in the file:
Sorry it's not a minimal example, I started with just the first point above and kept adding until the bug triggered.
https://gist.github.com/Undef-a/3d76ca30d97944b81258635e1281340e
Output:
@djc commented on GitHub (Jun 14, 2025):
Can you post the debug dump of both your
sconfandsystem_opts?I whittled your example down to this:
to try to make it independent of any system configuration, but on my macOS machine I could not reproduce the "ignoring response" message so far (after 5 runs).
@Undef-a commented on GitHub (Jun 24, 2025):
In my experience with the real application I'd see this issue in NOERROR A responses, targeting another domain, especially one with wildcard DNS may help.
(I replied via email a week ago but it never went through. Sorry for the delay)
@ibigbug commented on GitHub (Jul 14, 2025):
Having similar issue here but it's about v6 and mapped v4 address, apparently hickory-proto things they are different addresses and refused the response(?)
@djc commented on GitHub (Aug 13, 2025):
That seems unrelated, please file a separate issue for it -- or better a PR, since this seems straightforward to solve?
@ibigbug commented on GitHub (Aug 15, 2025):
@djc sure https://github.com/hickory-dns/hickory-dns/pull/3207