group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1727237] Re: systemd-resolved is not finding a domain

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1727237@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Apr 2018 11:24:24 -0000
Reply-to: Bug 1727237 <1727237@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package systemd - 237-3ubuntu8

---------------
systemd (237-3ubuntu8) bionic; urgency=medium

  * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001).
    (LP: #1727237)
  * resolved: Listen on both TCP and UDP by default. (LP: #1731522)
  * Recommend networkd-dispatcher (LP: #1762386)
  * Refresh patches

 -- Dimitri John Ledkov <xnox@xxxxxxxxxx>  Thu, 12 Apr 2018 12:12:24
+0100

** Changed in: systemd (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1727237

Title:
  systemd-resolved is not finding a domain

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Triaged
Status in systemd source package in Zesty:
  Won't Fix
Status in systemd source package in Artful:
  Triaged
Status in systemd source package in Bionic:
  Fix Released

Bug description:
  
  [Impact] 

   * Certain WiFi captive portals do not support EDNS0 queries, as per RFC.
   * Instead of responding with the captive portal IP address, they resond with domain not found
   * This prevents the user from hitting the captive portal login page, able to authenticate, and gain access to the internets.

  [The Fix]

   * As per tcp dumps, the problem arrises from receiving NXDOMAIN when queried with EDNS0
   * And receiving the right response without EDNS0
   * The solution was to downgrade transactions, and retry EDNS0 + NXDOMAIN result without EDNS0 with a hope of getting the right answer.

  [Test Case]

  * systemd-resolve securelogin.example.com
  * journalctl -b -u systemd-resolve | grep DVE-2018

  You should obverse that a warning message that transaction was retried
  with a reduced feature level e.g. UDP or TCP.

  After this test case is performed the result will be cached, therefore
  to revert to pristine state perform

  * systemd-resolve --flush-caches

  [Regression Potential]

   * The code retries, and then caches, NXDOMAIN results for certain
  queries (those that have 'secure' in them) with and without EDNS0.

   * Thus initial query for these domains may take longer, but hopefully
  will manage to receive the correct response.

   * Manufacturers are encouraged to correctly support EDNS0 queries,
  with flag D0 set to zero.

  [Other Info]
   
   * This issue is tracked as a dns-violation at
  https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md

  [Original Bug report]

  I have an odd network situation that I have so far managed to narrow
  down to the inability to resolve a domain via systemd-resolved which
  is resolvable with nslookup. If I use nslookup against the two
  nameservers on this network I get answers for the domain, but ping
  says it is unable to resolve the same domain (as do browsers and
  crucially the captive portal mechanism).

  Here are details:

  NSLOOKUP:

  ~$ nslookup securelogin.arubanetworks.com 208.67.220.220
  Server:		208.67.220.220
  Address:	208.67.220.220#53

  Non-authoritative answer:
  Name:	securelogin.arubanetworks.com
  Address: 172.22.240.242

  ~$ nslookup securelogin.arubanetworks.com 208.67.222.222
  Server:		208.67.222.222
  Address:	208.67.222.222#53

  Non-authoritative answer:
  Name:	securelogin.arubanetworks.com
  Address: 172.22.240.242

  PING:

  ~$ ping securelogin.arubanetworks.com
  ping: securelogin.arubanetworks.com: Name or service not known
  mark@mark-X1Y2:~$

  DIG:

  ~$ dig @208.67.222.222 securelogin.arubanetworks.com

  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @208.67.222.222 securelogin.arubanetworks.com
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9416
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.	IN	A

  ;; AUTHORITY SECTION:
  arubanetworks.com.	1991	IN	SOA	dns5.arubanetworks.com. hostmaster.arubanetworks.com. 1323935888 3600 200 1209600 86400

  ;; Query time: 34 msec
  ;; SERVER: 208.67.222.222#53(208.67.222.222)
  ;; WHEN: Wed Oct 25 10:31:10 CEST 2017
  ;; MSG SIZE  rcvd: 144

  MORE DIG:

  ~$ dig securelogin.arubanetworks.com

  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> securelogin.arubanetworks.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3924
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.	IN	A

  ;; Query time: 0 msec
  ;; SERVER: 127.0.0.53#53(127.0.0.53)
  ;; WHEN: Wed Oct 25 10:34:01 CEST 2017
  ;; MSG SIZE  rcvd: 58

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1727237/+subscriptions