customDNS resolver should return NOERROR instead of NXDOMAIN for existing domain mapping

[bkupidura]

When blocky is using customDNS feature, it breaks Alpine 3.13.

config:

      conditional:
        mapping:
          home: udp:10.0.120.1
      customDNS:
        mapping:
          grafana.some.domain.tld: 10.0.10.42

bash-5.1# host grafana.some.domain.tld
grafana.some.domain.tld has address 10.0.10.42
Host grafana.some.domain.tldnot found: 3(NXDOMAIN)
Host grafana.some.domain.tld not found: 3(NXDOMAIN)
bash-5.1# host esp-playroom.home
esp-playroom.home has address 10.0.150.44
bash-5.1#
bash-5.1# curl -v grafana.some.domain.tld
* Could not resolve host: grafana.some.domain.tld
bash-5.1# curl -v esp-playroom.home
*   Trying 10.0.150.44:80...

23:52:21.974699 IP 10.0.120.130.54306 > 10.0.10.40.53: 21810+ A? grafana.some.domain.tld. (35)
23:52:21.978492 IP 10.0.10.40.53 > 10.0.120.130.54306: 21810 1/0/0 A 10.0.10.42 (68)
23:52:22.003100 IP 10.0.120.130.62735 > 10.0.10.40.53: 60016+ AAAA? grafana.some.domain.tld. (35)
23:52:22.006357 IP 10.0.10.40.53 > 10.0.120.130.62735: 60016 NXDomain 0/0/0 (35)
23:52:22.006642 IP 10.0.120.130.57505 > 10.0.10.40.53: 30063+ MX? grafana.some.domain.tld. (35)
23:52:22.009969 IP 10.0.10.40.53 > 10.0.120.130.57505: 30063 NXDomain 0/0/0 (35)

23:53:05.736261 IP 10.0.120.130.56493 > 10.0.10.40.53: 19758+ A? esp-playroom.home. (35)
23:53:05.746503 IP 10.0.10.40.53 > 10.0.120.130.56493: 19758* 1/0/0 A 10.0.150.44 (68)
23:53:05.798267 IP 10.0.120.130.62464 > 10.0.10.40.53: 57972+ AAAA? esp-playroom.home. (35)
23:53:05.801473 IP 10.0.10.40.53 > 10.0.120.130.62464: 57972 0/0/0 (35)
23:53:05.801761 IP 10.0.120.130.62052 > 10.0.10.40.53: 35112+ MX? esp-playroom.home. (35)
23:53:05.804799 IP 10.0.10.40.53 > 10.0.120.130.62052: 35112 0/0/0 (35)

Looks like new alpine image is very strict about NXDOMAIN.

[0xERR0R]

Hey,

by defining grafana.some.domain.tld: 10.0.10.42, you create only A record for this domain -> this is correct, that MX query returns NXDomain.

The question is: why does alpine try to get the MX record for simple curl. I am not aware about alpine configuration, so I can't answer this question. Did you install blocky as alpine package (https://pkgs.alpinelinux.org/package/edge/testing/x86/blocky) ?

[bkupidura]

Blocky is instaled in k8s from spx01/blocky:v0.14. host+curl cmd is executed from alpine image running also on k8s.

When you run any command from alpine linux, it will ask for A and AAAA record. If one of them is missing, you will get error with unknown domain.

[2021-07-27 22:32:37]  INFO query_logging_resolver: query resolved answer= client_ip=10.42.1.202 client_names=10.42.1.202 duration_ms=0 question=AAAA (grafana.some.domain.tld.) response_code=NXDOMAIN response_reason=CUSTOM DNS
[2021-07-27 22:32:37]  INFO query_logging_resolver: query resolved answer=A (10.0.10.42) client_ip=10.42.1.202 client_names=10.42.1.202 duration_ms=0 question=A (grafana.some.domain.tld.) response_code=NOERROR response_reason=CUSTOM DNS

bash-5.1# curl grafana.some.domain.tld
curl: (6) Could not resolve host: grafana.some.domain.tld

Other DNS servers (pihole, dnsmasq tested) are not returning NXDOMAIN. Please see tcpdump from previous comment.

Request for esp-playroom.home was forwarded by blocky to dnsmasq, which just returned 0/0/0 without NXDOMAIN for AAAA.

I believe that blocky should do exactly the same, and not return NXDOMAIN at all.

EDIT:
I checked when other servers are returning NXDOMAIN.

% dig -t AAAA nonexisting.amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> -t AAAA nonexisting.amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3029
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nonexisting.amazon.com.		IN	AAAA

;; AUTHORITY SECTION:
amazon.com.		28	IN	SOA	dns-external-master.amazon.com. root.amazon.com. 2010135319 180 60 3024000 60

;; Query time: 49 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 27 23:29:45 CEST 2021
;; MSG SIZE  rcvd: 112

 % dig -t AAAA amazon.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> -t AAAA amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;amazon.com.			IN	AAAA

;; AUTHORITY SECTION:
amazon.com.		8	IN	SOA	dns-external-master.amazon.com. root.amazon.com. 2010135319 180 60 3024000 60

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 27 23:29:49 CEST 2021
;; MSG SIZE  rcvd: 100

NXDOMAIN is returned only when domain really dosent exists (no SOA?). So if we are able to define A record for customDNS, we should NOT return NXDOMAIN for AAAA (even if it dosent exists).

[0xERR0R]

Current implementation: if domain is defined in custom mapping -> return the IP, if not, ask upstream DNS. What is the behavior, if you define both IPv4 and IPv6 addresses for your custom domain? (see example: https://0xerr0r.github.io/blocky/configuration/#custom-dns)

[bkupidura]

If you have both AAAA and A defined it will work. But problem is with returning NXDOMAIN when this is not expected.
Removing https://github.com/0xERR0R/blocky/blob/development/resolver/custom_dns_resolver.go#L116 will solve problem.

I was not able to find any DNS server which is returning NXDOMAIN for given record type, when other records exists for same domain name (e.g A exists, and for AAAA or MX query return NXDOMAIN).

[0xERR0R]

Yes, it makes sense. NXDOMAIN should indicate that a domain name does not exist. If only A record is defined, an AAAA query should return empty result