Unusual DNS Rewrite

[emlimap]

Issue Details

• Version of AdGuard Home server:
  • v0.103.3-SNAPSHOT-96512433
• How did you setup DNS configuration:
  • Router
• If it's a router or IoT, please write device model:
  • VM
• Operating system and version:
  • Debian 10

Expected Behaviour

So I am trying to do a bit of an unusual rewrite which I am not sure if it is supposed to work. So AGH should rewrite all AAAA requests for cloudfront subdomains but not A and both A & AAAA records for dd9uw8v41wo40.cloudfront.net subdomain which the AAAA rewrite points to.

Below are the DNS rewrites

  rewrites:
  - domain: dd9uw8v41wo40.cloudfront.net
    answer: A
  - domain: dd9uw8v41wo40.cloudfront.net
    answer: AAAA
  - domain: '*.cloudfront.net'
    answer: A
  - domain: '*.cloudfront.net'
    answer: dd9uw8v41wo40.cloudfront.net

When doing an AAAA request for dmv2chczz9u6u.cloudfront.net, it should return the AAAA records for dd9uw8v41wo40.cloudfront.net

Actual Behavior

Returns no records because the requested subdomain doesn't publish AAAA records.

❯ dig AAAA dmv2chczz9u6u.cloudfront.net

; <<>> DiG 9.10.6 <<>> AAAA dmv2chczz9u6u.cloudfront.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31540
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dmv2chczz9u6u.cloudfront.net.  IN      AAAA

;; AUTHORITY SECTION:
dmv2chczz9u6u.cloudfront.net. 60 IN     SOA     ns-370.awsdns-46.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

From what I can see in logs, AGH does pickup the rewrites but still proceeds to pass the original request to Quad 9 and return the response to client

[debug] Rewrite: CNAME for dmv2chczz9u6u.cloudfront.net is dd9uw8v41wo40.cloudfront.net
[debug] Rewrite: CNAME for dd9uw8v41wo40.cloudfront.net is dd9uw8v41wo40.cloudfront.net
[debug] AutoHosts: answer: dmv2chczz9u6u.cloudfront.net -> []
[debug] https://dns10.quad9.net:443/dns-query: sending request AAAA dmv2chczz9u6u.cloudfront.net.

Full query trace

2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 192.168.5.104:53906
2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 31540
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;dmv2chczz9u6u.cloudfront.net.	IN	 AAAA

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 4096

2020/09/15 22:33:13 179#49 [debug] Rewrite: CNAME for dmv2chczz9u6u.cloudfront.net is dd9uw8v41wo40.cloudfront.net
2020/09/15 22:33:13 179#49 [debug] Rewrite: CNAME for dd9uw8v41wo40.cloudfront.net is dd9uw8v41wo40.cloudfront.net
2020/09/15 22:33:13 179#49 [debug] AutoHosts: answer: dmv2chczz9u6u.cloudfront.net -> []
2020/09/15 22:33:13 179#49 [debug] https://dns10.quad9.net:443/dns-query: sending request AAAA dmv2chczz9u6u.cloudfront.net.
2020/09/15 22:33:13 179#52 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): Dialing to 9.9.9.10:443
2020/09/15 22:33:13 179#52 [debug] github.com/AdguardTeam/dnsproxy/upstream.(*bootstrapper).createDialContext.func1(): dialer has successfully initialized connection to 9.9.9.10:443 in 6 milliseconds
2020/09/15 22:33:13 179#49 [debug] https://dns10.quad9.net:443/dns-query: response: ok
2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.exchangeWithUpstream(): upstream https://dns10.quad9.net:443/dns-query successfully finished exchange of ;dmv2chczz9u6u.cloudfront.net.	IN	 AAAA. Elapsed 39 ms.
2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(): RTT: 39 ms
2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.isCacheable(): dmv2chczz9u6u.cloudfront.net.: refusing to cache a NOERROR response with no answers
2020/09/15 22:33:13 179#49 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 31540
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;dmv2chczz9u6u.cloudfront.net.	IN	 AAAA

;; AUTHORITY SECTION:
dmv2chczz9u6u.cloudfront.net.	60	IN	SOA	ns-370.awsdns-46.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 512

Screenshots

Screenshot:

Additional Information

This was just a temporary hack to get quite a large file off cloudfront hosted download from an network that only had working IPv6 due to an outage. All cloudfront servers are dual stacked so you can take AAAA from a subdomain that has one and use it for others that don't. Don't plan to use it on day to day basis as you may crash some websites backend that can't handle v6 addresses but nevertheless curious to see whether the DNS rewrite itself should or wouldn't work.

Also noticed this line in tech doc under DNS rewrites while reviewing the docs for above issue
"": CNAME exception - pass request to upstream

So if I am understanding this correctly, if you create a rewrite with empty answer for a domain, it bypasses CNAME filtering for that domain. Doesn't look like the front end supports this though as it doesn't accept empty answer as a valid entry

[ameshkov]

I guess we'll need to wait till @szolin is back from vacation to answer this :)

[szolin]

  - domain: dd9uw8v41wo40.cloudfront.net
    answer: A
  - domain: dd9uw8v41wo40.cloudfront.net
    answer: AAAA

Try a single rule dd9uw8v41wo40.cloudfront.net -> dd9uw8v41wo40.cloudfront.net instead of these 2 rules with A and AAAA exceptions, because they don't work together - they exclude each other.

By the way, CNAME exception should be like this in wiki (I've already updated it):

"`key`": CNAME exception - pass request to upstream

[emlimap]

Thanks for updating the wiki. It makes it clear now

So I did the change as mentioned but it didn't make a difference.

  rewrites:
  - domain: dd9uw8v41wo40.cloudfront.net
    answer: dd9uw8v41wo40.cloudfront.net
  - domain: '*.cloudfront.net'
    answer: A
  - domain: '*.cloudfront.net'
    answer: dd9uw8v41wo40.cloudfront.net

Also tried dropping the A record bypass but the rewrite didn't get applied for AAAA query.

  - domain: dd9uw8v41wo40.cloudfront.net
    answer: dd9uw8v41wo40.cloudfront.net
  - domain: '*.cloudfront.net'
    answer: dd9uw8v41wo40.cloudfront.net

Updated to latest AGH snapshot version v0.104.0-beta1-SNAPSHOT-dc61744d

Debug log for query:

2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 127.0.0.1:36361
2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): IN: ;; opcode: QUERY, status: NOERROR, id: 45398
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;test.cloudfront.net.	IN	 AAAA

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 4096
; COOKIE: f5306d15eba99946

2020/09/23 17:38:55 3583#107 [debug] Rewrite: CNAME for test.cloudfront.net is dd9uw8v41wo40.cloudfront.net
2020/09/23 17:38:55 3583#107 [debug] Rewrite: CNAME for dd9uw8v41wo40.cloudfront.net is dd9uw8v41wo40.cloudfront.net
2020/09/23 17:38:55 3583#107 [debug] AutoHosts: answer: test.cloudfront.net -> []
2020/09/23 17:38:55 3583#107 [debug] https://dns10.quad9.net:443/dns-query: sending request AAAA test.cloudfront.net.
2020/09/23 17:38:55 3583#107 [debug] https://dns10.quad9.net:443/dns-query: response: ok
2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.exchangeWithUpstream(): upstream https://dns10.quad9.net:443/dns-query successfully finished exchange of ;test.cloudfront.net.	IN	 AAAA. Elapsed 10 ms.
2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).Resolve(): RTT: 10 ms
2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.isCacheable(): test.cloudfront.net.: refusing to cache a NOERROR response with no answers
2020/09/23 17:38:55 3583#107 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).logDNSMessage(): OUT: ;; opcode: QUERY, status: NOERROR, id: 45398
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.cloudfront.net.	IN	 AAAA

;; AUTHORITY SECTION:
cloudfront.net.	22	IN	SOA	ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 4096

Got another question regarding rewrite priorities, when there is a rewrite with A record exception & CNAME rewrite within DNS rewrite, does CNAME take precedence over A record bypass or CNAME excludes A record bypass?

What I am trying to achieve is when there is a query for example.com, A records should bypass and return original records but for AAAA, the records should be from example.net.

  - domain: '*.example.com'
    answer: A
  - domain: '*.example.com'
    answer: example.net

In my tests I can see the rewrite getting applied to A record as well

$ dig A www.example.com +short
example.net.
93.184.216.34

[ameshkov]

I think this would be possible when we implement #2102 (and $dnstype), these two modifiers would allow all kinds of complicated rewrites including this one.