Client side debugging · 2019-05-13 · Client side debugging Lowering DNS resolver support costs...
Transcript of Client side debugging · 2019-05-13 · Client side debugging Lowering DNS resolver support costs...
Client side debuggingLowering DNS resolver support costs
Petr Špaček • [email protected] • 2019-05-10
Motivation
Unable to connect
Firefox can’t establish a connection to the server attest.
The site could be temporarily unavailable or toobusy. Try again in a few moments.
If you are unable to load any pages, check yourcomputer’s network connection.
If your computer or network is protected by afirewall or proxy, make sure that Firefox ispermitted to access the Web.
Try Again
1
234
5
6
7
89 0
Motivation – support for Turris routers
1
234
5
6
7
89 0
Have you tried turning it offand back on again?
NOTIFICATIONS
DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working
independently or it can forward your DNS queries your internet service provider's DNS
resolver.
Connection testHere you can test your internet connection. This test is also useful when you need to check
that your DNS resolving works as expected. Remember to click on the Save button if you
changed your forwarder setting.
Test type Status
DNS
DNSSEC
Use forwarding
DNS Forwarder
Disable DNSSEC
Enable DHCP clients in DNS
Use provider's DNS resolver
Discard changes
Save
Test connection
http://192.168.3.1/foris/config/main/dns/
5/7/19, 2:39 PM
NOTIFICATIONS
DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working
independently or it can forward your DNS queries your internet service provider's DNS
resolver.
Connection testHere you can test your internet connection. This test is also useful when you need to check
that your DNS resolving works as expected. Remember to click on the Save button if you
changed your forwarder setting.
Test type Status
DNS
DNSSEC
Use forwarding
DNS Forwarder
Disable DNSSEC
Enable DHCP clients in DNS
Use provider's DNS resolver
Discard changes
Save
Test connection
http://192.168.3.1/foris/config/main/dns/
5/7/19, 2:39 PM
☒
☒
□
It still doesn’t work ...
● PEBKAC – www.google.cpm
● Client software – DoH!
● Network client – resolver
● Resolver – configuration
● Resolver – software bug
● Network resolver – resolver (forwarding)
● Network resolver – authoritative server
● Authoritative server
With automation (hopefully)
● PEBKAC – www.google.cpm
● Client software – DoH!
● Network client – resolver
● Resolver – configuration
● Resolver – software bug
● Network resolver – resolver (forwarding)
● Network resolver – authoritative server
● Authoritative server
Automating diagnostics
● Inspiration – RFC 8027
● DNSSEC Roadblock Avoidance● Taken couple steps further
● Idea – Auth server with static data
● Direct IP query – network test
● Forwarder – resolution chain
● Local resolver – local configuration
Implementation
● 3 DNS zones with constant data
● test.knot-resolver.cz● nsec.test.knot-resolver.cz● nsec3.test.knot-resolver.cz
● Hosted on CZ anycast
● Checker in Python
● https://gitlab.labs.nic.cz/knot/deckard/● tools/network_check.py● tools/forwarder_check.py
Test zone contenttest.knot-resolver.cz. 3600 TXT "Davku ve me o pln uvitani ..."
weird-type.test.knot-resolver.cz. TYPE20025 \# 4 DEADBEEF
unsigned.nsec3.test.knot-resolver.cz.NS blackhole-1.iana.org.
*.wild.nsec3.test.knot-resolver.cz. A 217.31.192.130
*.wildc.nsec3.test.knot-resolver.cz. CNAME target.wild.nsec3.test. ...
knot-resolver.cz.
tools/network_check.py
● Direct query – network hijack?
a.ns.nic.cz
$ dig @192.0.2.1 . NS
tools/forwarder_check.py
● Asking forwarders from DHCP
● Resolution chain?
a.ns.nic.czforwarder
???
tools/forwarder_check.py
● Asking resolver on the router
● Local config?
a.ns.nic.czforwarder
???
Forwarder checks● delegation_from_nsec3_to_unsigned_zone
● delegation_from_nsec_to_unsigned_zone
● negative_nsec3_answers
● negative_nsec_answers
● nonexistent_delegation_from_nsec
● nonexistent_delegation_from_nsec3
● nonexistent_type_nsec
● nonexistent_type_nsec3
Forwarder checks● returns_RRSIG
● supports_CD
● supports_DNSKEY
● supports_DO
● supports_DS
● supports_EDNS0
● supports_simple_answers
● unknown_rrtype
● zone_version
CLI$ python3 -m pytest -vv forwarder_check.py --forwarder 172.20.20.53
============================= test session starts ===========...collecting ... collected 33 items
forwarder_check.py::test_zone_version[172.20.20.53] PASSEDforwarder_check.py::test_supports_simple_answers[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_simple_answers[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_EDNS0[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_EDNS0[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_DO[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_DO[172.20.20.53-False] PASSEDforwarder_check.py::test_supports_CD[172.20.20.53-True] PASSEDforwarder_check.py::test_supports_CD[172.20.20.53-False] PASSEDforwarder_check.py::test_returns_RRSIG[172.20.20.53-True] PASSEDforwarder_check.py::test_returns_RRSIG[172.20.20.53-False] PASSED...forwarder_check.py::test_nonexistent_type_nsec3[172.20.20.53-False] PASSEDforwarder_check.py::test_nonexistent_type_nsec[172.20.20.53-True] PASSEDforwarder_check.py::test_nonexistent_type_nsec[172.20.20.53-False] PASSED
========================== 33 passed in 0.28 seconds ================
CLI$ python3 -m pytest -vv forwarder_check.py --forwarder 217.31.204.130
forwarder_check.py::test_supports_simple_answers[217.31.204.130-True] FAILED
______________ test_supports_simple_answers[217.31.204.130-False] ___________forwarder = IPv4Address('217.31.204.130'), tcp = Falseexp = 'NOERROR', got = 'SERVFAIL'
Got answer:rcode SERVFAILflags QR RD RA;QUESTIONgood-a.test.knot-resolver.cz. IN A;ANSWER;AUTHORITY;ADDITIONAL
Matching: {'rcode', 'qtype', 'flags', 'opcode', 'qname', 'answer'}rcode NOERRORflags QR RD RA;QUESTIONgood-a.test.knot-resolver.cz. IN A;ANSWERgood-a.test.knot-resolver.cz. 3600 IN A 217.31.192.130;AUTHORITY;ADDITIONAL
Output for scripts (py.test)<testsuite errors="0" failures="25" name="pytest" skipped="0" tests="33" time="0.795">−
<testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="26" name="test_zone_version[217.31.204.130]"time="0.034">
−
<failure message="pydnstest.matchpart.DataMismatch: expected "_version.test.knot-resolver.cz. 3600 IN TXT "1"" got """>+</failure><system-out>+ </system-out>
</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="46"name="test_supports_simple_answers[217.31.204.130-True]" time="0.009">
+
</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="46"name="test_supports_simple_answers[217.31.204.130-False]" time="0.003">
+
</testcase><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="58"name="test_supports_EDNS0[217.31.204.130-True]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="58"name="test_supports_EDNS0[217.31.204.130-False]" time="0.003"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="68" name="test_supports_DO[217.31.204.130-True]" time="0.014"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="68" name="test_supports_DO[217.31.204.130-False]" time="0.003"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="79" name="test_supports_CD[217.31.204.130-True]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="79" name="test_supports_CD[217.31.204.130-False]" time="0.005"/><testcase classname="tools.forwarder_check" file="tools/forwarder_check.py" line="103"name="test_returns_RRSIG[217.31.204.130-True]" time="0.005">
+
Web UI for expert users
Web UI for expert users
Difficulties – level 1
● Resolvers answer differently
● NOERROR AUTHORITY● AA● ...● Ignore differences => pydnstest/matchpart.py
● UDP vs. TCP
● IPv4 vs. IPv6
● Many tests => parallelization
Difficulties – level 2
● Packet size >= ?
● Probabilistic issues
● Some query types (TYPE???)
● Some query names
● ...
Next step
NOTIFICATIONS
DNSRouter Turris uses its own DNS resolver with DNSSEC support. It is capable of working
independently or it can forward your DNS queries your internet service provider's DNS
resolver.
Connection testHere you can test your internet connection. This test is also useful when you need to check
that your DNS resolving works as expected. Remember to click on the Save button if you
changed your forwarder setting.
Test type Status
DNS
DNSSEC
Use forwarding
DNS Forwarder
Disable DNSSEC
Enable DHCP clients in DNS
(hint: your network does not work properly with forwarding)
Use provider's DNS resolver
Discard changes
Save
Test connection
http://192.168.3.1/foris/config/main/dns/
5/7/19, 4:32 PM
☒
□
□
Try it, comment ...
● git clone https://gitlab.labs.nic.cz/knot/deckard/
● $ pip install --user -r deckard/requirements.txt
● $ cd deckard/tools
● $ py.test network_check.py --html=report.html
● $ py.test forwarder_check.py--forwarder=1.1.1.1 --html=report.html
● https://gitlab.labs.nic.cz/knot/deckard/issues/new