starred/hickory-dns

Fork 0

mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 03:05:51 +03:00

[GH-ISSUE #2249] TokioAsyncResolver fails with ResolveError { kind: Proto(ProtoError { kind: Io(Kind(ConnectionRefused)) }) } #935

New issue

Closed

opened 2026-03-16 01:01:29 +03:00 by kerem · 3 comments

kerem commented

2026-03-16 01:01:29 +03:00

Owner

Originally created by @zsdsys on GitHub (Jun 19, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2249

Describe the bug
TokioAsyncResolver configured with tls defaults fails with error ConnectionRefused

To Reproduce

use hickory_resolver::{ *, config::*, name_server::TokioConnectionProvider };

#[tokio::main]
async fn main() {
    let async_resolver = TokioAsyncResolver::new(
        ResolverConfig::cloudflare_tls(),
        ResolverOpts::default(),
        TokioConnectionProvider::default()
    );

    let resolved = async_resolver.lookup_ip("www.cloudflare.com").await.unwrap();
    println!("{:?}", resolved);
}

Expected behavior
expected to resolve names via dns-over-rustls

System:

OS: ubuntu
Architecture: x86_64
Version 22.04
rustc version: 1.79.0 (129f3b996 2024-06-10)

Version:
Crate: hickory-resolver
Version: { version = "0.24.1", features = ["dns-over-rustls"] }

Additional context
using the same code above with ResolverConfig::cloudflare() works as expected (but not secure of course).

I was also able to debug and it is indeed failing:
2024-06-19 14:06:04.239162 DEBUG hickory_proto::xfer::dns_exchange stream errored while connecting error=io error: tls error: invalid peer certificate: UnknownIssuer

I also attempted to set_tls_client_config with

    let mut root_store = RootCertStore::empty();

    root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());

    let config = rustls::ClientConfig
        ::builder()
        .with_root_certificates(root_store)
        .with_no_client_auth();

    let mut resolver_config = ResolverConfig::cloudflare_tls();
    resolver_config.set_tls_client_config(Arc::new(config));  <-- fails

but that fails as a rustls::ClientConfig is not a rustls::client::client_conn::ClientConfig and that is now private/inaccessible with newer rustls

Originally created by @zsdsys on GitHub (Jun 19, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2249 **Describe the bug** TokioAsyncResolver configured with tls defaults fails with error ConnectionRefused **To Reproduce** ``` use hickory_resolver::{ *, config::*, name_server::TokioConnectionProvider }; #[tokio::main] async fn main() { let async_resolver = TokioAsyncResolver::new( ResolverConfig::cloudflare_tls(), ResolverOpts::default(), TokioConnectionProvider::default() ); let resolved = async_resolver.lookup_ip("www.cloudflare.com").await.unwrap(); println!("{:?}", resolved); } ``` **Expected behavior** expected to resolve names via dns-over-rustls **System:** - OS: ubuntu - Architecture: x86_64 - Version 22.04 - rustc version: 1.79.0 (129f3b996 2024-06-10) **Version:** Crate: hickory-resolver Version: { version = "0.24.1", features = ["dns-over-rustls"] } **Additional context** using the same code above with ResolverConfig::cloudflare() works as expected (but not secure of course). I was also able to debug and it is indeed failing: 2024-06-19 14:06:04.239162 DEBUG hickory_proto::xfer::dns_exchange stream errored while connecting error=io error: tls error: invalid peer certificate: UnknownIssuer I also attempted to set_tls_client_config with ``` let mut root_store = RootCertStore::empty(); root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); let config = rustls::ClientConfig ::builder() .with_root_certificates(root_store) .with_no_client_auth(); let mut resolver_config = ResolverConfig::cloudflare_tls(); resolver_config.set_tls_client_config(Arc::new(config)); <-- fails ``` but that fails as a rustls::ClientConfig is not a rustls::client::client_conn::ClientConfig and that is now private/inaccessible with newer rustls

kerem closed this issue

2026-03-16 01:01:35 +03:00

kerem commented

2026-03-16 01:01:40 +03:00

Author

Owner

@cpu commented on GitHub (Jun 19, 2024):

Version: { version = "0.24.1", features = ["dns-over-rustls"] }

I suspect you're hitting this issue described in https://github.com/hickory-dns/hickory-dns/issues/2066 and clarified by https://github.com/hickory-dns/hickory-dns/pull/2179 and https://github.com/hickory-dns/hickory-dns/pull/2181 (in the pre-release version only). Try adding the webpki-roots feature in addition to dns-over-rustls.

but that fails as a rustls::ClientConfig is not a rustls::client::client_conn::ClientConfig and that is now private/inaccessible with newer rustls

This smells like trying to use a different major version of Rustls than what Hickory-DNS 0.24.1 is using. The error message is confusing, but you shouldn't need to access any private/inaccessible types to resolve this.

@cpu commented on GitHub (Jun 19, 2024): > Version: { version = "0.24.1", features = ["dns-over-rustls"] } I suspect you're hitting this issue described in https://github.com/hickory-dns/hickory-dns/issues/2066 and clarified by https://github.com/hickory-dns/hickory-dns/pull/2179 and https://github.com/hickory-dns/hickory-dns/pull/2181 (in the pre-release version only). Try adding the `webpki-roots` feature in addition to `dns-over-rustls`. > but that fails as a rustls::ClientConfig is not a rustls::client::client_conn::ClientConfig and that is now private/inaccessible with newer rustls This smells like trying to use a different major version of Rustls than what Hickory-DNS 0.24.1 is using. The error message is confusing, but you shouldn't need to access any private/inaccessible types to resolve this.

kerem commented

2026-03-16 01:01:46 +03:00

Author

Owner

@zsdsys commented on GitHub (Jun 19, 2024):

fascinating issue, adding the feature webpki-roots works (I already had that create for other purposes so did not realize that feature)

I am using rustls rustls = { version = "0.23", default-features = false, features = ["ring","std",] }
the issue of rustls::client::client_conn being changed to private has been a real PITA as a lot of code samples I come across

@zsdsys commented on GitHub (Jun 19, 2024): fascinating issue, adding the feature webpki-roots works (I already had that create for other purposes so did not realize that feature) I am using rustls rustls = { version = "0.23", default-features = false, features = ["ring","std",] } the issue of rustls::client::client_conn being changed to private has been a real PITA as a lot of code samples I come across

kerem commented

2026-03-16 01:01:51 +03:00

Author

Owner

@cpu commented on GitHub (Jun 19, 2024):

(I already had that create for other purposes so did not realize that feature)

The requirement should be clearer once the fix from https://github.com/hickory-dns/hickory-dns/pull/2179 makes it into a finalized release 🤞

I am using rustls rustls = { version = "0.23", default-features = false, features = ["ring","std",] }

That would indeed be the problem. hickory-dns 0.24.1 uses rustls 0.21: github.com/hickory-dns/hickory-dns@e56a18ee24/Cargo.toml (L64) You would need to do the same for the ClientConfig to be compatible.

Edit: You can follow https://github.com/hickory-dns/hickory-dns/pull/2217 for the 0.23 update progress.

@cpu commented on GitHub (Jun 19, 2024): > (I already had that create for other purposes so did not realize that feature) The requirement should be clearer once the fix from https://github.com/hickory-dns/hickory-dns/pull/2179 makes it into a finalized release :crossed_fingers: > I am using rustls rustls = { version = "0.23", default-features = false, features = ["ring","std",] } That would indeed be the problem. hickory-dns 0.24.1 uses rustls 0.21: https://github.com/hickory-dns/hickory-dns/blob/e56a18ee241edf9c8a4ee17508cfc727617ffbb9/Cargo.toml#L64 You would need to do the same for the `ClientConfig` to be compatible. Edit: You can follow https://github.com/hickory-dns/hickory-dns/pull/2217 for the 0.23 update progress.

kerem referenced this issue

2026-03-16 02:26:26 +03:00

[PR #935] [MERGED] Background with generic spawn #1801