#14937 closed defect (fixed)

Multiple CNAME records cause corrupt DNS packets

Reported by:	robinwalsh	Owned by:
Component:	network/NAT	Version:	VirtualBox 5.0.10
Keywords:	dns cname network resolver corruption	Cc:
Guest type:	Linux	Host type:	Mac OS X

Description

Running a DNS query from inside a VirtualBox-virtualized machine gives incorrect DNS results. Your "dns.c" code must be compressing CNAME chains incorrectly, because whenever we try to resolve a name that has two (or more) CNAMEs, the DNS response is mangled and the names are returned in the wrong order. This causes the resolver on the guest operating system to enter an infinite redirect loop.

To reproduce:

Use any version of VirtualBox on Mac OS X (and any guest operating system, but for these purposes I'll be using Linux).

Look up a name in the guest OS that has two CNAMEs in it. I recommend:

dig registry-1.docker.io

You'll see that the DNS packet comes back malformed. This gist (https://gist.github.com/sbuss/769da082fe987b9e0838) shows a step-by-step analysis of what happens during these DNS lookups.

I'm attaching three files to this ticket: mac-os-x-good.pcap (the packet capture on the Mac OS X host with correct DNS behavior), linux.pcap (a capture from a Linux guest host), and windows.pcap (a packet capture from a Windows guest host).

Attachments (3)

mac-os-x-good.pcap (3.5 KB ) - added by robinwalsh 9 years ago.: Good packet capture on Mac OS X host
linux.pcap (1.4 KB ) - added by robinwalsh 9 years ago.: Linux packet capture
windows.pcap (155.0 KB ) - added by robinwalsh 9 years ago.: Windows packet capture

Download all attachments as: .zip

Change History (8)

by robinwalsh, 9 years ago

Attachment:	mac-os-x-good.pcap added

Good packet capture on Mac OS X host

by robinwalsh, 9 years ago

Attachment:	linux.pcap added

Linux packet capture

by robinwalsh, 9 years ago

Attachment:	windows.pcap added

Windows packet capture

comment:1 by Valery Ushakov, 9 years ago

Component:	network → network/NAT

comment:2 by robinwalsh, 9 years ago

I forgot to mention that you need to enable natdnshostresolver=1 on the VirtualBox machine for this to work. It only works when the DNS response goes through the "special" 10.0.2.3 resolver.

comment:3 by sbuss, 9 years ago

Please note that you must set --natdnshostresolver1 on in order to experience this error.

comment:4 by sbuss, 9 years ago

Docker has modified their DNS for registry-1.docker.io to only have a single CNAME to work around this bug, so this is no longer reproducible with the given name. You can use one of our S3-hosted sites which therefore has two CNAMEs: getaheadofcancer.counsyl.com

Here's the healthy response, from a vagrant box, using google's DNS:

counsyl@scratch:~$ dig +noall +answer getaheadofcancer.counsyl.com @8.8.8.8
getaheadofcancer.counsyl.com. 96 IN	CNAME	getaheadofcancer.counsyl.com.s3-website-us-west-2.amazonaws.com.
getaheadofcancer.counsyl.com.s3-website-us-west-2.amazonaws.com. 59 IN CNAME s3-website-us-west-2.amazonaws.com.
s3-website-us-west-2.amazonaws.com. 4 IN A	54.231.160.51

And the malformed response, from the local vbox dns resolver, 10.0.2.3:

counsyl@scratch:~$ dig +noall +answer getaheadofcancer.counsyl.com @10.0.2.3
;; Warning: Message parser reports malformed message packet.
getaheadofcancer.counsyl.com. 3600 IN	CNAME	s3-website-us-west-2.amazonaws.com.
s3-website-us-west-2.amazonaws.com. 3600 IN CNAME getaheadofcancer.counsyl.com.s3-website-us-west-2.amazonaws.com.
getaheadofcancer.counsyl.com.s3-website-us-west-2.amazonaws.com. 3600 IN A 54.231.160.51

comment:5 by Valery Ushakov, 9 years ago

Resolution:	→ fixed
Status:	new → closed

This should be fixed in 5.0.20. Please reopen if there are still any problems.

Note: See TracTickets for help on using tickets.

Download in other formats: