DNSDist 1.8 crashes on DoH Query

[awlx]

• Program: dnsdist
• Issue type: Bug report

Short description

As soon as a DoH query is received DNSdist crashes

Environment

• Operating system: Ubuntu 22.04
• Software version: dnsdist 1.8.0 (Lua 5.1.4 [LuaJIT 2.1.0-beta3])
  Enabled features: cdb dns-over-tls(gnutls openssl) dns-over-https(DOH) dnscrypt ebpf fstrm ipcipher libeditr libsodium lmdb outgoing-dns-over-https(nghttp2) protobuf re2 recvmmsg/sendmmsg snmp systemd
• Software source: Repo

Steps to reproduce

kdig @10.8.0.39 +https +https-get +tls-sni=doh.ffmuc.net delivery.mailspamprotection.com A -4

Expected behaviour

Don't crash

Actual behaviour

Crashes

Jul 03 11:47:56 webfrontend05 dnsdist[289407]: terminate called after throwing an instance of 'std::runtime_error'
Jul 03 11:47:56 webfrontend05 dnsdist[289407]:   what():  DOH thread failed to launch: map::at
Jul 03 11:47:56 webfrontend05 systemd[1]: dnsdist.service: Main process exited, code=killed, status=6/ABRT
Jul 03 11:47:56 webfrontend05 systemd[1]: dnsdist.service: Failed with result 'signal'.
Jul 03 11:47:59 webfrontend05 systemd[1]: dnsdist.service: Scheduled restart job, restart counter is at 142.

Other information

[Habbie]

Can you post your configuration and full startup log?

[awlx]

Startup log:

Jul 03 11:47:59 webfrontend05 systemd[1]: Starting DNS Loadbalancer...
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint 127.0.0.1:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint 127.0.0.1:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint [::1]:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Generate new DNSCrypt keys.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint [::1]:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Generate new DNSCrypt keys.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassw
ord()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Passing a plain-text API key via the 'apiKey' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassword
()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassw
ord()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Passing a plain-text API key via the 'apiKey' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassword
()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Configuration '/etc/dnsdist/dnsdist.conf' OK!
Jul 03 11:47:59 webfrontend05 dnsdist[291441]: Configuration '/etc/dnsdist/dnsdist.conf' OK!
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: dnsdist 1.8.0 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: No certificate provided for DoH endpoint 127.0.0.1:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: No certificate provided for DoH endpoint [::1]:445, running in DNS over HTTP mode instead of DNS over HTTPS
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 10.8.0.39:1653
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 10.8.0.40:1653
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 10.8.0.38:1653
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 10.8.0.13:1653
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 127.0.0.1:553
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 89.163.140.67:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Error connecting to new server with address [2001:4ba0:ffa4:1ce::]:53: connecting socket to [2001:4ba0:ffa4:1ce::]:53: Network is unreachable
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server [2001:4ba0:ffa4:1ce::]:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server 88.198.92.222:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Error connecting to new server with address [2a01:4f8:1c0c:82c0::1]:53: connecting socket to [2a01:4f8:1c0c:82c0::1]:53: Network is unreachable
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Added downstream server [2a01:4f8:1c0c:82c0::1]:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassw
ord()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Passing a plain-text API key via the 'apiKey' parameter to 'setWebserverConfig()' is not advised, please consider generating a hashed one using 'hashPassword
()' instead.
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on 0.0.0.0:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on [::]:53
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on 0.0.0.0:853 for TLS
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on [::]:853 for TLS
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on 127.0.0.1:445 for DoH
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on [::1]:445 for DoH
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on 0.0.0.0:8443 for DNSCrypt
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Listening on [::]:8443 for DNSCrypt
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: ACL allowing queries from: 0.0.0.0/0, ::/0
Jul 03 11:47:59 webfrontend05 dnsdist[291442]: Console ACL allowing connections from: 127.0.0.0/8, ::1/128
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Webserver launched on 127.0.0.1:8083
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Accepting control connections on 127.0.0.1:5199
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream v6.ns22.de.opennic ([2001:4ba0:ffa4:1ce::]:53) as 'down'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream v6.ns25.opennic ([2a01:4f8:1c0c:82c0::1]:53) as 'down'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream web05 (10.8.0.39:1653) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream local-auth (127.0.0.1:553) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream web06 (10.8.0.40:1653) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream gw06 (10.8.0.38:1653) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream gw07 (10.8.0.13:1653) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream v4.ns22.de.opennic (89.163.140.67:53) as 'up'
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Marking downstream v4.ns25.opennic (88.198.92.222:53) as 'up'
Jul 03 11:48:00 webfrontend05 systemd[1]: Started DNS Loadbalancer.
Jul 03 11:48:00 webfrontend05 dnsdist[291442]: Polled security status of version 1.8.0 at startup, no known issues reported: OK

[awlx]

Config:

-- functions to be used later 
function file_exists(name)
   local f=io.open(name,"r")  
   if f~=nil then io.close(f) return true else return false end
end

--- now the real config

setACL({'0.0.0.0/0', '::/0'}) 
-- respond to ANY queries sent over UDP with the TC bit set, shunting to TCP.
addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), TCAction(), {name="Shunt-ANY-to-TCP"})
addAction(RegexRule(".*\\.(10|168\\.192|(1[6-9]|2[0-9]|3[0-1])\\.172)\\.in-addr\\.arpa$"), RCodeAction(DNSRCode.NXDOMAIN), {name="RFC1918-PTR-NXDOMAIN"})

addLocal("0.0.0.0")
addLocal("::")
ssl_cert="/etc/letsencrypt/live/ffmuc.net/fullchain.pem"
ssl_key="/etc/letsencrypt/live/ffmuc.net/privkey.pem"

-- listen for DoT on external interface
addTLSLocal("0.0.0.0", ssl_cert, ssl_key, { reusePort=true, tcpFastOpenQueueSize=20, minTLSVersion="tls1.1" })
addTLSLocal("[::]", ssl_cert, ssl_key, { reusePort=true, tcpFastOpenQueueSize=20, minTLSVersion="tls1.1" })

-- listen for DoH on localhost for reverse proxy
addDOHLocal("127.0.0.1:445", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })
addDOHLocal("[::1]:445", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })

if not file_exists("/var/lib/dnsdist/providerPrivate.key") then
  infolog("Generate DNSCrypt provider keys.")
  generateDNSCryptProviderKeys("/var/lib/dnsdist/providerPublic.cert", "/var/lib/dnsdist/providerPrivate.key")
end

if not file_exists("/run/dnsdist/resolver.cert") then
  -- this should be recreated regularly => store in /run/dnsdist which gets cleaned at every restart
  infolog("Generate new DNSCrypt keys.")
  generateDNSCryptCertificate("/var/lib/dnsdist/providerPrivate.key", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", os.date('%Y%m%d', os.time()), os.time(os.date("!*t")), os.time({year=2025, 
month=2, day=1, hour=00, minute=00}))
end
-- listen for DNSCrypt
addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true })
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.ffmuc.net", "/run/dnsdist/resolver.cert", "/run/dnsdist/resolver.key", { reusePort=true })


-- keep BPF capabilities
addCapabilitiesToRetain("CAP_SYS_ADMIN")

-- enable ebpf
bpf = newBPFFilter({ipv4MaxItems=1024, ipv6MaxItems=1024, qnamesMaxItems=1024})
setDefaultBPFFilter(bpf)

-- set number of queries to be allowed per second from an IP but exclude localhost
dbr = dynBlockRulesGroup()
dbr:excludeRange({"127.0.0.1/32", "::1/128" })
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60, DNSAction.Drop)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded SERVFAIL rate", 60, DNSAction.Drop)
dbr:setQTypeRate(DNSQType.PTR, 20, 10, "Exceeded PTR rate", 60, DNSAction.Drop)
dbr:setQueryRate(500, 1, "Exceeded query rate", 60, DNSAction.Drop)
function maintenance()
   dbr:apply()
end
-- Raise ringbuffer size
setRingBuffersSize(100000)
newServer({address="10.8.0.39:1653", name="web05", weight=3, retries=2, id="7cd4655e-071e-4a9a-9623-834ba49ea472"})
newServer({address="10.8.0.40:1653", name="web06", weight=3, retries=2, id="d5d0a3a9-6787-479f-ad0f-106d4618ccc2"})
newServer({address="10.8.0.38:1653", name="gw06", weight=2, retries=2, id="42c4bdfe-0ccc-4e9e-8816-7f88421b50f8"})
newServer({address="10.8.0.13:1653", name="gw07", weight=2, retries=2, id="1c961f33-3a09-4b40-ae9d-5b5a8dd71061"})

setWHashedPertubation(3962345)
setServerPolicy(whashed)

-- ask authorative servers for ffmuc.net directly
newServer({address="127.0.0.1:553", name="local-auth", pool="auth"})

addAction({'in.ffmuc.net', 'ov.ffmuc.net', 'ffmuc.net', 'ffmuc.bayern', 'fnmuc.net', 'freewifi.bayern', 'freifunk-muenchen.de', 'xn--freifunk-mnchen-8vb.de.', 'freifunk-muenchen.net', 'muenchen.freifunk.net', 'xn--mnchen-3ya.freifunk.net', 'augsburg.freifunk.net', 'wertingen.freifunk.net', 'donau-ries.freifunk.net'}, PoolAction("auth"), {name="Redirect-Auth"})
addAction({'in-addr.arpa', 'ip6.arpa'}, NoneAction(), {name="RDNS"})

-- OpenNIC
newServer({address="89.163.140.67:53", name="v4.ns22.de.opennic", pool="opennic"})
newServer({address="[2001:4ba0:ffa4:1ce::]:53", name="v6.ns22.de.opennic", pool="opennic"})
newServer({address="88.198.92.222:53", name="v4.ns25.opennic", pool="opennic"})
newServer({address="[2a01:4f8:1c0c:82c0::1]:53", name="v6.ns25.opennic", pool="opennic"})

addAction({'bbs','chan','cyb','dns.opennic.glue','dyn','epic','geek','gopher','indy','libre','neo','null','o','opennic.glue','oss','oz','parody','pirate'}, PoolAction("opennic"), {name="Redirect-OpenNIC"})

-- add cache for X possible entries
pc = newPacketCache(4000000)  
getPool(""):setCache(pc)
getPool("auth"):setCache(pc)  
webserver("127.0.0.1:8083")   
setWebserverConfig ({password="pw", apiKey="key"})
controlSocket("127.0.0.1:5199")
setKey("anotherkey")

setMaxUDPOutstanding(65535)   
setMaxTCPClientThreads(2000)        -- set X(int) to handle number of maximum tcp clients
setMaxTCPConnectionDuration(120)    -- set X(int) for tcp connection duaration from a connected client. X is number of seconds.
setMaxTCPConnectionsPerClient(200)   -- set X(int) for number of tcp connections from a single client. Useful for rate limiting the concurrent connections.
setMaxTCPQueriesPerConnection(3000) -- set X(int) , similiar to addAction(MaxQPSIPRule(X), DropAction())

[Habbie]

Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint 127.0.0.1:445, running in DNS over HTTP mode instead of DNS over HTTPS

this seems important :)

[awlx]

Jul 03 11:47:59 webfrontend05 dnsdist[291441]: No certificate provided for DoH endpoint 127.0.0.1:445, running in DNS over HTTP mode instead of DNS over HTTPS

this seems important :)

We use nginx in the front of dnsdist, so this should be fine and worked with 1.7 :).

[awlx]

Looks like we hit this:
#11667

When I remove this proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; from my nginx config it doesn't crash.

[rgacogne]

That's a very good lead, thanks! This fix was merged before 1.8.0 so it's probably slightly different, thought.

[rgacogne]

Just to be sure, it doesn't crash but are the queries actually allowed, or are they then dropped by the ACL?

[awlx]

Just to be sure, it doesn't crash but are the queries actually allowed, or are they then dropped by the ACL?

When I remove the x-forwarded-for from nginx it happily replies :).

[awlx]

Without x-forwarded-for

➜  ffmuc kdig @10.8.0.39 +https +https-get +tls-sni=doh.ffmuc.net google.com A -4
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; HTTP session (HTTP/2-GET)-(doh.ffmuc.net/dns-query)-(status: 200)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 409 B

;; QUESTION SECTION:
;; google.com.                  IN      A

;; ANSWER SECTION:
google.com.             84      IN      A       142.250.181.238

With x-forwarded-for:

  ffmuc kdig @10.8.0.39 +https +https-get +tls-sni=doh.ffmuc.net google.com A -4
;; HTTP session (HTTP/2-GET)-(doh.ffmuc.net/dns-query)-(status: 502)
;; WARNING: can't receive reply from 10.8.0.39@443(TCP)
;; ERROR: failed to query server 10.8.0.39@443(TCP)

[awlx]

Further investigation shows, it even crashes if I set X-Forwarded-For to $remote_addr but it doesn't crash with this proxy_set_header X-Forwarded-For ""; so an empty X-Forwared-For works.

[rgacogne]

Completely unrelated to your issue, but setMaxTCPClientThreads(2000) creates 2k TCP worker threads which is likely not want you want. We used to need one thread per TCP connection but nowadays one worker thread can deal with tens of thousands of connections, so it rarely makes sense to have more than 10 or 20 of these.

[rgacogne]

I reproduced the issue and should have a fix shortly.

[rgacogne]

I just pushed a proposed fix in #12976. It is against master so I'll also open a PR for the 1.8.x branch. Would you be able to test it? I can generate packages for Ubuntu Jammy if that helps :)

[awlx]

I just pushed a proposed fix in #12976. It is against master so I'll also open a PR for the 1.8.x branch. Would you be able to test it? I can generate packages for Ubuntu Jammy if that helps :)

If you could generate a package for Ubuntu Focal I can test it right away :).

[rgacogne]

Will do!

[rgacogne]

There you go: https://downloads.powerdns.com/tmp/8348fdd4-0fb5-4e12-a4dd-803114eeccd9/
The naming is a bit verbose, sorry about that :)

[awlx]

Looking good!

➜  ffmuc kdig @10.8.0.39 +https +https-get +tls-sni=doh.ffmuc.net google.com A -4
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; HTTP session (HTTP/2-GET)-(doh.ffmuc.net/dns-query)-(status: 200)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 409 B

;; QUESTION SECTION:
;; google.com.                  IN      A

;; ANSWER SECTION:
google.com.             103     IN      A       142.250.181.238

;; Received 468 B
;; Time 2023-07-03 17:50:04 CEST
;; From 10.8.0.39@443(TCP) in 164.5 ms

webfrontend05.in.ffmuc.net:~# journalctl -f -u dnsdist.service
-- Logs begin at Fri 2023-05-26 00:56:05 CEST. --
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Accepting control connections on 127.0.0.1:5199
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream local-auth (127.0.0.1:553) as 'up'
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream web06 (10.8.0.40:1653) as 'up'
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream gw07 (10.8.0.13:1653) as 'up'
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream gw06 (10.8.0.38:1653) as 'up'
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream v4.ns22.de.opennic (89.163.140.67:53) as 'up'
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Marking downstream v4.ns25.opennic (88.198.92.222:53) as 'up'
Jul 03 17:49:23 webfrontend05 systemd[1]: Started DNS Loadbalancer.
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Error while retrieving the security update for version dnsdist-1.8.0-alpha0.2913.ddist18fixdohxforwardedformaxtcpconnperclient.gba79efcf4: Unable to get a valid Security Status update
Jul 03 17:49:23 webfrontend05 dnsdist[379941]: Not validating response for security status update, this is a non-release version.

tcpdump:

.jD..jD.GET /dns-query?dns=AAABIAABAAAAAAABBmdvb2dsZQNjb20AAAEAAQAAKRAAAAAAAABZAAwAVQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Host: doh.ffmuc.net
X-Forwarded-For: 10.8.1.252
Connection: close
accept: application/dns-message


17:50:57.576760 IP localhost.microsoft-ds > localhost.45670: Flags [P.], seq 1:652, ack 306, win 512, options [nop,nop,TS val 3228189713 ecr 3228189710], length 651
E.....@.@.oy...........f.t.{(.d?...........
.jD..jD.HTTP/1.1 200 OK
Date: Mon, 03 Jul 2023 15:50:57 GMT
Connection: close
Content-Length: 468
Server: h2o/dnsdist
content-type: application/dns-message
cache-control: max-age=50

So this is fixed. Awesome thank you for such a fast fix @rgacogne ! 🥳

[rgacogne]

Thanks a lot for reporting this issue and testing the fix, much appreciated!